[Snort-users] Drop statistics and Cisco Catalyst 6500
Owen_Crow at ...2639...
Wed Mar 27 15:53:02 EST 2002
> -----Original Message-----
> From: Rich Adamson [mailto:radamson at ...2127...]
> Sent: Wednesday, March 27, 2002 5:27 PM
> To: 'snort-users at lists.sourceforge.net'
> Cc: Crow, Owen
> Subject: Re: [Snort-users] Drop statistics and Cisco Catalyst 6500
[Agree with and understand this edited stuff.]
> For the "packet counts", the cisco switch is basically a
> layer-2 device
> so it handles all protocols. Snort is TCP/IP based, and only
> counts packets
> "destined" for itself and then only IP packets. Total packets
> measured by
> Snort should be less than what the port statistics reflect on
> the Cisco.
> Also, Snort doesn't care about general broadcasts while the
> Cisco counts
Right, Snort only analyzes IP packets, but it does analyze broadcasts and
multicasts (especially on a LAN), too. There are at least a few
experimental rules that use a destination of 255.255.255.255 (SNMP).
I included the Cisco drop stat just because it was one of the few populated
stats in the output.
We're still left with the question of why Snort is seeing more packets than
I forgot to include the command line before, sorry:
/usr/sbin/snort -A fast -b -l /var/log/snort -d -D -u snort -g snort -i eth2
More information about the Snort-users