[Snort-users] snot processes packets twice?
rmkml at ...1855...
Wed Jun 27 18:59:39 EDT 2012
Can you try with last snort stable v220.127.116.11 and daq v0.6.2 ?
or latest snort release candidate (v2.9.3_rc) and daq v1.1.1 ?
Can you run daq dump ?
On Wed, 27 Jun 2012, jorbru30 at ...5068... wrote:
> Thank you Russ for the tip.
> I checked for any bridge but there is none.
> mysnort at ...424...:~/pcaps$ brctl show
> bridge name bridge id STP enabled interfaces
> I captured pcaps at eth0 and eth1 and each show about 25,000 packets.
> I also added a print statement prior to "ProcessPacket" in snort.c to verify snort is indeed inspecting duplicate packets. My findings is yes, it does inspect about 50,000 packets.
> I am still trying to figure out why snort checks packets from both interface and how to fix the issue.
> I appreciate any help.
> From: "Russ Combs" <rcombs at ...1935...>
> To: jorbru30 at ...5068...
> Cc: snort-users at lists.sourceforge.net
> Sent: Wednesday, June 27, 2012 10:56:47 AM
> Subject: Re: [Snort-users] snot processes packets twice?
> Not sure why you are seeing double; any chance you bridged eth0 and eth1?
> On Wed, Jun 27, 2012 at 1:18 AM, <jorbru30 at ...5068...> wrote:
> I am running snort version 2.9.1 as IPS using the following command.
> /usr/local/snort/bin/snort --daq afpacket -i eth0:eth1 -Q --daq-dir=/usr/local/lib/daq -l /var/log/snort -c /usr/local/snort/etc/snort.conf
> I am sending packets from a traffic generator tool which acts as a sender and receiver.
> Traffic generator(TGS)<-> eth0 <->eth1 <-> Traffic generator(TGR)
> About 25,000 packets are seen at eth0 (packets sent from TGS and responses(mostly ack packets) from TGR). The same set of packets are seen at eth1.
> After I stopped snort with ctr-c, snort displays ..."Snort processed 50531 packets".
> I was expecting snort to process incoming packets (packets from eth0 to eth1) and outgoing packets (packets from eth1 to eth0) which is about 25,000 but it processes double # of packets.
> Please help me understand why snort process packets twice.
> Thank you!
More information about the Snort-users