[Snort-users] Promiscuouls Mode Question
J. Craig Woods
drjung at ...2066...
Sun Sep 2 17:40:03 EDT 2001
Erek Adams wrote:
> On Sun, 2 Sep 2001, Jim Kipp wrote:
> > If I run snort or tcpdump(on eth0), then do ifconfig -a eth0, it does
> > not report PROMISC. Only when I manually set promisc does it report it.
> > But tcpdump seems to be sniffing everything. Is this normal?
> Well, I'm not a cable modem user, but I play one in 'The Young and The
> Restless'... ;-)
> Seriously, look at the traffic. Is it only traffic bound for your IP? If so,
> you're seeing what you should be when not in promisc mode. If that's the
> case, then yes, it's all working as it should.
> Try doing a 'tcpdump not host <foo>' with <foo> being your host. If you see
> traffic to/from other boxes other than ARP, then there is something kinda odd
> going on.
> Hope this helps!
> Erek Adams
I saw you, and a hell of a performance it was!!!!
More information about the Snort-users