[Snort-users] What NICs are people using?

Terence Runge terencerunge at ...9090...
Fri May 2 10:52:46 EDT 2003


Have you tried this on a Compaq DL380 with dual ports nics? I have this 
set up in multiple locations and have not experienced any driver 
conflicts. This is a RedHat 7.2 build with the Compaq drivers.

http://h18007.www1.hp.com/support/files/server/us/locate/86_1342.html

It looks like these have been upgraded as of April 23, 2003, so I can't 
directly tell you if they will work. The e100-2.1.29 drivers worked with 
the following Intel network adapters:

82558       PRO/100+ Dual Port Server Adapter       714303-xxx, 
711269-xxx,  A28276-xxx
82550       PRO/100 S Dual Port Server Adapter      A56831-xxx

Following is some information from Compaq that might help.

-Terence

============
For the build to work properly it is important that the currently 
running kernel MATCH the version and configuration of the installed 
kernel source. If you have just recompiled your kernel, reboot the 
system and choose the correct kernel to boot.

1. Move the base driver tar file to the directory of your choice. For 
example, use: /home/username/e100 or /usr/local/src/e100.

2. Untar/unzip the archive by entering the following, where <x.x.x> is 
the version number for the driver tar:
     tar xfz e100-<x.x.x>.tar.gz

3. Change to the driver src directory by entering the following, where 
<x.x.x> is the version number for the driver tar:
     cd e100-<x.x.x>/src/   

4. Compile the driver module:
     make install

   The binary will be installed as one of the following:
     /lib/modules/<kernel_version>/kernel/drivers/net/e100.o
     /lib/modules/<kernel_version>/net/e100.o

   The install locations listed above are the default locations. They 
may  not be correct for certain Linux distributions. For more 
information, see the ldistrib.txt file included in the driver tar.

5. Install the module:
     insmod e100 <parameter>=<value>
 
6. Assign an IP address to the interface by entering the following, 
where <x> is the interface number:
     ifconfig eth<x> <IP_address>

7. Verify that the interface works. Enter the following, where 
<IP_address> is the IP address for another machine on the same subnet as 
the interface that is being tested:
     ping <IP_address>

  Due to the ARP behavior on Linux, it is not possible to have one 
system on two IP networks in the same Ethernet broadcast domain 
(non-partitioned switch) behave as expected. All Ethernet interfaces 
will respond to IP traffic for any IP address assigned to the system. 
This results in unbalanced receive traffic.

  When this occurs, transmits and receives for a single conversation can 
be split across different network interfaces. Additionally, the server 
might have up to twice as much transmit capacity as receive capacity, 
which can result in the receive side being overrun and dropping receives.

  If you have multiple interfaces in a server, install them in different 
switches or partition the switch into VLANs to prevent broadcast traffic 
from going to the wrong interface. This does not apply when using a 
teaming solution, like ANS.
========

Gordon Cunningham wrote:

>Situation:  RedHat (choice of version, 7.3+), snort, multiple segments to
>monitor (up to 4), barnyard, MySQL, Webmin, etc.  
>
>RedHat says the use of multiple same-chipset Intel Pro100 NICs won't work
>due to a bug in the driver. I need to find a solution to support up to 4
>sniffing promiscuous Ethernet ports - 2 dual-port NICs or single 4-port?
>
>Q:  What brand/model of multiple NICs are you using to support sniffing up
>to 4 segments (5th separate NIC for management interface) on RedHat systems?
>
>
>Q:  Do the dual- or multi-port NICs work?
>
>Q:  Should I move to another OS?
>
>
>Didn't find much in the archives...  Thanks.
>
>
>- Gordon
>
>Loved this so much I ripped it:  "The software said it requires Windows 98
>or better, so I installed Linux..."
>
>  
>






More information about the Snort-users mailing list