[Snort-users] snot processes packets twice?

Russ Combs rcombs at ...1935...
Wed Jun 27 13:56:47 EDT 2012


Not sure why you are seeing double; any chance you bridged eth0 and eth1?

On Wed, Jun 27, 2012 at 1:18 AM, <jorbru30 at ...5068...> wrote:

> Hi,
>
>
>
> I am running snort version 2.9.1 as IPS using the following command.
>
>
>
> /usr/local/snort/bin/snort --daq afpacket -i eth0:eth1 -Q
> --daq-dir=/usr/local/lib/daq -l /var/log/snort -c
> /usr/local/snort/etc/snort.conf
>
> I am sending packets from a traffic generator tool which acts as a sender
> and receiver.
>
>       Traffic generator(TGS)<-> eth0 <->eth1 <-> Traffic generator(TGR)
>
>
>
> About 25,000 packets are seen at eth0 (packets sent from TGS and
> responses(mostly ack packets) from TGR).  The same set of packets are seen
> at eth1.
>
>
>
> After I stopped snort with ctr-c, snort displays ..."Snort processed 50531
> packets".
>
>
>
> I was expecting snort to process incoming packets (packets from eth0 to
> eth1) and outgoing packets (packets from eth1 to eth0) which is about
> 25,000 but it processes double # of packets.
>
>
>
> Please help me understand why snort process packets twice.
>
>
>
> Thank you!
>
>
>
> Jorda.
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120627/c6cb393e/attachment.html>


More information about the Snort-users mailing list