[Snort-users] Trouble Snorting with Multiple Interfaces

Gordon Cunningham gcunnin2 at ...163...
Thu May 22 05:30:02 EDT 2003


I have seen similar problems reported when the two NICs are the same brand
and model and/or chipset.  Apparently some drivers under *nix have trouble
with two or more NICs are in promiscuous mode using the same driver.  Some
have suggested using two different manufacturer's NICs to force loading
separate drivers for each NIC.  I am still investigating this, as I'd like
to use a 4-port card, but if I can't put all ports into promiscuous mode to
work with snort, there's no sense in doing this.  You might try other
drivers or another NIC if your NICs are identical.


- Gordon

"The software said it requires Windows 98 or better, so I installed
Linux..."

 -----Original Message-----
From: 	snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]  On Behalf Of Travis Rodak
Sent:	Tuesday, May 20, 2003 6:04 PM
To:	snort-users at lists.sourceforge.net
Subject:	[Snort-users] Trouble Snorting with Multiple Interfaces

I am having trouble seeing data on eth1 when eth0 has been started and
runs at the same time.
snort -d -i eth0 -c....
snort -d -i eth1 -c....
When I stop snort on eth0 then eth1 will pick up data on its network
segment.  If they are both running at the same time, eth0 is the only
interface that records data.  Any ideas?
----------------------------------------------------------------------------
-
Here is my ifconfig as well.....

eth0      Link encap:Ethernet  HWaddr 00:E0:81:52:01:03
          inet addr:192.168.1.20  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:116249991 errors:0 dropped:0 overruns:0 frame:7
          TX packets:1303454 errors:0 dropped:0 overruns:0 carrier:1
          collisions:13133 txqueuelen:100
          RX bytes:2944149069 (2807.7 Mb)  TX bytes:340014799 (324.2 Mb)
          Interrupt:11

eth1      Link encap:Ethernet  HWaddr 00:E0:81:52:01:02
          inet addr:10.1.1.200  Bcast:10.1.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7718745 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23 errors:0 dropped:0 overruns:4 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1163621613 (1109.7 Mb)  TX bytes:1776 (1.7 Kb)
          Interrupt:10 Base address:0x2000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:380 errors:0 dropped:0 overruns:0 frame:0
          TX packets:380 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:28168 (27.5 Kb)  TX bytes:28168 (27.5 Kb)
----------------------------------------------------------------------------
and route as well.......

192.168.1.0     *               255.255.255.0   U     0      0        0 eth0
10.1.0.0        *               255.255.0.0     U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         192.168.1.1     0.0.0.0         UG    0      0        0 eth0

----------------------------------------------------------------------------
-

Please advise...

--
Travis Rodak
Manager Web Presentation / Security
Computer Marketing Corporation
http://www.cmcflex.com



(All caveats, disclaimers, disclosures, labels, notices, and warnings
commonly included in email messages are hereby incorporated by reference as
if set forth in full. Without limiting the generality of the foregoing, this
email represents only the personal opinion of the author, and only at the
moment of writing. The author reserves the right to express any other
opinion at any time for any reason or no reason.)




-------------------------------------------------------
This SF.net email is sponsored by: ObjectStore.
If flattening out C++ or Java code to make your application fit in a
relational database is painful, don't do it! Check out ObjectStore.
Now part of Progress Software. http://www.objectstore.net/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list