[Snort-users] What NICs are people using?
gcunnin2 at ...163...
Fri May 2 11:14:41 EDT 2003
Thanks Terrence, we'll probably have to use Dell workstation-class systems
due to cost factors. I have used Intel dual-port cards in the past, but not
"The software said it requires Windows 98 or better, so I installed
From: Terence Runge [mailto:terencerunge at ...9090...]
Sent: Friday, May 02, 2003 1:44 PM
To: gcunnin2 at ...163...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] What NICs are people using?
Have you tried this on a Compaq DL380 with dual ports nics? I have this
set up in multiple locations and have not experienced any driver
conflicts. This is a RedHat 7.2 build with the Compaq drivers.
It looks like these have been upgraded as of April 23, 2003, so I can't
directly tell you if they will work. The e100-2.1.29 drivers worked with
the following Intel network adapters:
82558 PRO/100+ Dual Port Server Adapter 714303-xxx,
82550 PRO/100 S Dual Port Server Adapter A56831-xxx
Following is some information from Compaq that might help.
For the build to work properly it is important that the currently
running kernel MATCH the version and configuration of the installed
kernel source. If you have just recompiled your kernel, reboot the
system and choose the correct kernel to boot.
1. Move the base driver tar file to the directory of your choice. For
example, use: /home/username/e100 or /usr/local/src/e100.
2. Untar/unzip the archive by entering the following, where <x.x.x> is
the version number for the driver tar:
tar xfz e100-<x.x.x>.tar.gz
3. Change to the driver src directory by entering the following, where
<x.x.x> is the version number for the driver tar:
4. Compile the driver module:
The binary will be installed as one of the following:
The install locations listed above are the default locations. They
may not be correct for certain Linux distributions. For more
information, see the ldistrib.txt file included in the driver tar.
5. Install the module:
insmod e100 <parameter>=<value>
6. Assign an IP address to the interface by entering the following,
where <x> is the interface number:
ifconfig eth<x> <IP_address>
7. Verify that the interface works. Enter the following, where
<IP_address> is the IP address for another machine on the same subnet as
the interface that is being tested:
Due to the ARP behavior on Linux, it is not possible to have one
system on two IP networks in the same Ethernet broadcast domain
(non-partitioned switch) behave as expected. All Ethernet interfaces
will respond to IP traffic for any IP address assigned to the system.
This results in unbalanced receive traffic.
When this occurs, transmits and receives for a single conversation can
be split across different network interfaces. Additionally, the server
might have up to twice as much transmit capacity as receive capacity,
which can result in the receive side being overrun and dropping receives.
If you have multiple interfaces in a server, install them in different
switches or partition the switch into VLANs to prevent broadcast traffic
from going to the wrong interface. This does not apply when using a
teaming solution, like ANS.
Gordon Cunningham wrote:
>Situation: RedHat (choice of version, 7.3+), snort, multiple segments to
>monitor (up to 4), barnyard, MySQL, Webmin, etc.
>RedHat says the use of multiple same-chipset Intel Pro100 NICs won't work
>due to a bug in the driver. I need to find a solution to support up to 4
>sniffing promiscuous Ethernet ports - 2 dual-port NICs or single 4-port?
>Q: What brand/model of multiple NICs are you using to support sniffing up
>to 4 segments (5th separate NIC for management interface) on RedHat
>Q: Do the dual- or multi-port NICs work?
>Q: Should I move to another OS?
>Didn't find much in the archives... Thanks.
>Loved this so much I ripped it: "The software said it requires Windows 98
>or better, so I installed Linux..."
More information about the Snort-users