[Snort-users] 1.8.4b4: "-i any" fails under RedHat 7.1

David Bianco bianco at ...5229...
Thu Mar 7 12:23:18 EST 2002


I've spent most of the day researching this issue, so I'm hoping someone
else out here can give me a clue.

I've got a RedHat 7.1 box (kernel 2.4.9-31) and 3 NICs.  eth0 is the 
primary network interface, connected to our LAN.  eth1 and eth2 are 
connected to our network tap to monitor a different segment.  I want to
have snort monitor eth1 and eth2 in one process.  Both eth1 and eth2
are Intel Pro/1000T gigabit cards, though they are only working 100mb/s
mode.

According to everything I've read, this should work fine.  Snort 1.8.4b4
supports the "any" interface, as does libpcap-0.6.2, which is what I've
got installed on my system.  Indeed, when I run "snort -i any -v" it
starts up and dumps traffic, but it only dumps traffic it sees on eth0.
The startup message from snort even says it's listening on 'any' but I
don't really think it is.  If I start with "snort -i eth1 -v" (or the
equivalent for eth2) I get the expected output. 

If anyone has seen this behavior before or can provide me with a clue,
I'd be grateful.

    Thanks,
      David


-- 
David J. Bianco, GSEC		<bianco at ...5229...>
Thomas Jefferson National Accelerator Facility

     The views expressed herein are soley those of the author and
	    not those of SURA/Jefferson Lab or the US DOE.




More information about the Snort-users mailing list