[Snort-users] What NICs are people using?

Terence Runge terencerunge at ...9090...
Fri May 2 11:27:02 EDT 2003


I use Dell Optiplex GX 260's in the test lab. If you go this route and 
want to continue with RedHat, you will want to install RH 8, kernel 
2.4.18-27.8.0. These optiplex use the full size nic, have two available 
slots, and one onboard nic you can use as  a control port. These have 
held up fairly well. Regarding the dual or four port nic, I can not 
verify that you will be without issues.

Most recently, however, I did have success with a Dell Power Edge 2550 
and an Intel dual port nic using the default drivers off the RH 8 distro.

-Terence

Gordon Cunningham wrote:

>Thanks Terrence, we'll probably have to use Dell workstation-class systems
>due to cost factors.  I have used Intel dual-port cards in the past, but not
>under Linux.
>
>
>- Gordon
>
>"The software said it requires Windows 98 or better, so I installed
>Linux..."
>
> -----Original Message-----
>From: 	Terence Runge [mailto:terencerunge at ...9090...]
>Sent:	Friday, May 02, 2003 1:44 PM
>To:	gcunnin2 at ...163...
>Cc:	snort-users at lists.sourceforge.net
>Subject:	Re: [Snort-users] What NICs are people using?
>
>Have you tried this on a Compaq DL380 with dual ports nics? I have this
>set up in multiple locations and have not experienced any driver
>conflicts. This is a RedHat 7.2 build with the Compaq drivers.
>
>http://h18007.www1.hp.com/support/files/server/us/locate/86_1342.html
>
>It looks like these have been upgraded as of April 23, 2003, so I can't
>directly tell you if they will work. The e100-2.1.29 drivers worked with
>the following Intel network adapters:
>
>82558       PRO/100+ Dual Port Server Adapter       714303-xxx,
>711269-xxx,  A28276-xxx
>82550       PRO/100 S Dual Port Server Adapter      A56831-xxx
>
>Following is some information from Compaq that might help.
>
>-Terence
>
>============
>For the build to work properly it is important that the currently
>running kernel MATCH the version and configuration of the installed
>kernel source. If you have just recompiled your kernel, reboot the
>system and choose the correct kernel to boot.
>
>1. Move the base driver tar file to the directory of your choice. For
>example, use: /home/username/e100 or /usr/local/src/e100.
>
>2. Untar/unzip the archive by entering the following, where <x.x.x> is
>the version number for the driver tar:
>     tar xfz e100-<x.x.x>.tar.gz
>
>3. Change to the driver src directory by entering the following, where
><x.x.x> is the version number for the driver tar:
>     cd e100-<x.x.x>/src/
>
>4. Compile the driver module:
>     make install
>
>   The binary will be installed as one of the following:
>     /lib/modules/<kernel_version>/kernel/drivers/net/e100.o
>     /lib/modules/<kernel_version>/net/e100.o
>
>   The install locations listed above are the default locations. They
>may  not be correct for certain Linux distributions. For more
>information, see the ldistrib.txt file included in the driver tar.
>
>5. Install the module:
>     insmod e100 <parameter>=<value>
>
>6. Assign an IP address to the interface by entering the following,
>where <x> is the interface number:
>     ifconfig eth<x> <IP_address>
>
>7. Verify that the interface works. Enter the following, where
><IP_address> is the IP address for another machine on the same subnet as
>the interface that is being tested:
>     ping <IP_address>
>
>  Due to the ARP behavior on Linux, it is not possible to have one
>system on two IP networks in the same Ethernet broadcast domain
>(non-partitioned switch) behave as expected. All Ethernet interfaces
>will respond to IP traffic for any IP address assigned to the system.
>This results in unbalanced receive traffic.
>
>  When this occurs, transmits and receives for a single conversation can
>be split across different network interfaces. Additionally, the server
>might have up to twice as much transmit capacity as receive capacity,
>which can result in the receive side being overrun and dropping receives.
>
>  If you have multiple interfaces in a server, install them in different
>switches or partition the switch into VLANs to prevent broadcast traffic
>from going to the wrong interface. This does not apply when using a
>teaming solution, like ANS.
>========
>
>Gordon Cunningham wrote:
>
>  
>
>>Situation:  RedHat (choice of version, 7.3+), snort, multiple segments to
>>monitor (up to 4), barnyard, MySQL, Webmin, etc.
>>
>>RedHat says the use of multiple same-chipset Intel Pro100 NICs won't work
>>due to a bug in the driver. I need to find a solution to support up to 4
>>sniffing promiscuous Ethernet ports - 2 dual-port NICs or single 4-port?
>>
>>Q:  What brand/model of multiple NICs are you using to support sniffing up
>>to 4 segments (5th separate NIC for management interface) on RedHat
>>    
>>
>systems?
>  
>
>>Q:  Do the dual- or multi-port NICs work?
>>
>>Q:  Should I move to another OS?
>>
>>
>>Didn't find much in the archives...  Thanks.
>>
>>
>>- Gordon
>>
>>Loved this so much I ripped it:  "The software said it requires Windows 98
>>or better, so I installed Linux..."
>>
>>
>>
>>    
>>
>
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20030502/903a677d/attachment.html>


More information about the Snort-users mailing list