[Snort-users] 1.8.4b4: "-i any" fails under RedHat 7.1
bianco at ...5229...
Thu Mar 7 12:23:18 EST 2002
I've spent most of the day researching this issue, so I'm hoping someone
else out here can give me a clue.
I've got a RedHat 7.1 box (kernel 2.4.9-31) and 3 NICs. eth0 is the
primary network interface, connected to our LAN. eth1 and eth2 are
connected to our network tap to monitor a different segment. I want to
have snort monitor eth1 and eth2 in one process. Both eth1 and eth2
are Intel Pro/1000T gigabit cards, though they are only working 100mb/s
According to everything I've read, this should work fine. Snort 1.8.4b4
supports the "any" interface, as does libpcap-0.6.2, which is what I've
got installed on my system. Indeed, when I run "snort -i any -v" it
starts up and dumps traffic, but it only dumps traffic it sees on eth0.
The startup message from snort even says it's listening on 'any' but I
don't really think it is. If I start with "snort -i eth1 -v" (or the
equivalent for eth2) I get the expected output.
If anyone has seen this behavior before or can provide me with a clue,
I'd be grateful.
David J. Bianco, GSEC <bianco at ...5229...>
Thomas Jefferson National Accelerator Facility
The views expressed herein are soley those of the author and
not those of SURA/Jefferson Lab or the US DOE.
More information about the Snort-users