[Snort-users] strange promiscous mode behavior

Ben Keepper bkeepper at ...4822...
Thu Jan 31 22:05:03 EST 2002

I am having a fit trying to figure this one out.

2 Demarc/Snort sensors.  One has three NICs with one NIC to a hub
between the router and firewall, one to a hub in the DMZ, and one to the
inside network as a management interface.  All this data goes to a
dual-homed box that has one interface snorting on the inside network,
and the other interface being the main SID/MYSQL/DEMARC NIC for the
whole network.

The box that is monitoring the DMZ and outside network is using the same
dual Intel NIC to watch these segments.  The DMZ interface is working
perfectly, but the interface on the outside network refuses to see
packets.  A tcpdump reveals the arps, but no real data.  Even giving the
NIC an IP address within the external IP address range of the firewall
and then in promisc mode reveals no data unless the packets are directed
at that specific IP.

The hub (Netgear DS-16) in the DMZ and the external net are identical,
so I don't think its the hub, and, like I said this is a dual port card,
with one port perfectly content, and the other not seeing anything.

What gives?

Shouldn't I be able to see any data between the router and firewall with
a tcpdump? 



Ben Keepper
Security Engineer
"I like to play with things awhile... before annilation" -Emperor Ming
the Merciless

More information about the Snort-users mailing list