[Snort-users] Drop statistics and Cisco Catalyst 6500

Dr. Richard W. Tibbs ccamp at ...4532...
Wed Mar 27 18:31:02 EST 2002

Beggin' your pardon, but... (see inline)

Crow, Owen wrote:

>>-----Original Message-----
>>From: Rich Adamson [mailto:radamson at ...2127...]
>>Sent: Wednesday, March 27, 2002 5:27 PM
>>To: 'snort-users at lists.sourceforge.net'
>>Cc: Crow, Owen
>>Subject: Re: [Snort-users] Drop statistics and Cisco Catalyst 6500
>[Agree with and understand this edited stuff.]
>>For the "packet counts", the cisco switch is basically a 
>>layer-2 device
>>so it handles all protocols. Snort is TCP/IP based, and only 
>>counts packets
>>"destined" for itself and then only IP packets. Total packets 
>>measured by
>>Snort should be less than what the port statistics reflect on 
>>the Cisco.
>>Also, Snort doesn't care about general broadcasts while the 
>>Cisco counts
>Right, Snort only analyzes IP packets, but it does analyze broadcasts and
Snort captures packets "just above the link layer", thereby getting ARP 
& RARP. These are not IP packets.
So depends on what you mean by 'analyze'. I can't really write a snort 
rule about ARP, I suppose, but I do get ARP counts.  Just my 2cents.

>multicasts (especially on a LAN), too.  There are at least a few
>experimental rules that use a destination of (SNMP).
>I included the Cisco drop stat just because it was one of the few populated
>stats in the output.
>We're still left with the question of why Snort is seeing more packets than
>the Cisco.
>I forgot to include the command line before, sorry:
>/usr/sbin/snort -A fast -b -l /var/log/snort -d -D -u snort -g snort -i eth2
>-c /etc/snort/snort.conf
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list