[Snort-users] Logging Issue

John D. Caine john at ...7696...
Tue Dec 10 06:34:04 EST 2002

I've answered my own question:

    When you run snort without any options it defaults to running in
promiscuous mode. When you specify the -D option it doesn't. Evidently the
network I'm on isn't as 'switched' as it should be.


----- Original Message -----
From: "John D. Caine" <john at ...7696...>
To: <snort-users at lists.sourceforge.net>
Sent: Tuesday, December 10, 2002 12:44 PM
Subject: [Snort-users] Logging Issue


    I've got Snort running and it's logging away quite happily. There is
something that makes me scratch my head though. How come it's catching stuff
thats not destined for my machine?

Here's a scan.log entry:

12/09-16:33:08.677905  ICMP src: dst: type: 8
code: 0 tgts: 8 event_id: 204

The dst IP isn't mine! Does Snort set your ethernet card to be
'promiscuous'? Even so I'm on a swicthed network. I'ts not just portscan
that does it it ops up in the normal log too. Does anybody know what causes
this or am I reading the logs incorrectly??


Regards, John.

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list