[Snort-users] snot processes packets twice?

jorbru30 at ...5068... jorbru30 at ...5068...
Wed Jun 27 01:18:11 EDT 2012



Hi, 



I am running snort version 2.9.1 as IPS using the following command. 



/usr/local/snort/bin/snort --daq afpacket -i eth0:eth1 -Q --daq-dir=/usr/local/lib/daq -l /var/log/snort -c /usr/local/snort/etc/snort.conf 


I am sending packets from a traffic generator tool which acts as a sender and receiver . 

      Traffic generator(TGS)<-> eth0 <->eth1 <-> Traffic generator(TGR) 



About 25,000 packets are seen at eth0 (packets sent from TGS and responses(mostly ack packets)  from TGR ).  The same set of packets are seen at eth1. 



After I stopped snort with ctr -c , snort displays ... "Snort processed 50531 packets ". 



I was expecting snort to process incoming packets (packets from eth0 to eth1) and outgoing packets  (packets from eth1 to eth0 ) which is about 25,000 but it processes double # of packets. 



Please help me understand why snort  process packets twice. 



Thank you! 



Jorda.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120627/f3712862/attachment.html>


More information about the Snort-users mailing list