[Snort-users] Drop statistics and Cisco Catalyst 6500
Dr. Richard W. Tibbs
ccamp at ...4532...
Wed Mar 27 18:31:02 EST 2002
Beggin' your pardon, but... (see inline)
Crow, Owen wrote:
>>From: Rich Adamson [mailto:radamson at ...2127...]
>>Sent: Wednesday, March 27, 2002 5:27 PM
>>To: 'snort-users at lists.sourceforge.net'
>>Cc: Crow, Owen
>>Subject: Re: [Snort-users] Drop statistics and Cisco Catalyst 6500
>[Agree with and understand this edited stuff.]
>>For the "packet counts", the cisco switch is basically a
>>so it handles all protocols. Snort is TCP/IP based, and only
>>"destined" for itself and then only IP packets. Total packets
>>Snort should be less than what the port statistics reflect on
>>Also, Snort doesn't care about general broadcasts while the
>Right, Snort only analyzes IP packets, but it does analyze broadcasts and
Snort captures packets "just above the link layer", thereby getting ARP
& RARP. These are not IP packets.
So depends on what you mean by 'analyze'. I can't really write a snort
rule about ARP, I suppose, but I do get ARP counts. Just my 2cents.
>multicasts (especially on a LAN), too. There are at least a few
>experimental rules that use a destination of 255.255.255.255 (SNMP).
>I included the Cisco drop stat just because it was one of the few populated
>stats in the output.
>We're still left with the question of why Snort is seeing more packets than
>I forgot to include the command line before, sorry:
>/usr/sbin/snort -A fast -b -l /var/log/snort -d -D -u snort -g snort -i eth2
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users