[Snort-users] Snort not seeing IP-traffic, just Ether/Other

Glenn Geller ggeller at ...11827...
Thu Apr 18 14:36:58 EDT 2013


Hello Kim,

One thing you may want to check is the position of your secondary NIC.

Specifically, some Linux builds actually see the secondary NIC as eth0, and
this may be only connected to the non-span port.

I have had this issue recently, and took a few days to figure it out.

May not be related to your specific issue, but wanted to put in my 2 cents.

Good luck,

Glenn


On Thu, Apr 18, 2013 at 11:01 AM, Kim.Halavakoski at ...16243... <
Kim.Halavakoski at ...16241...> wrote:

> Hello,
> I have setup a snort-sensor on a RedHat Linux box with traffic from a
> switch span-port feeding eth1 on the box. The traffic contains
> vlan-tagged traffic, if that makes any difference.
>
> The problem is that I am just getting some weird multicast / SSAP and
> DSAP encapsulated Ethernet frames on that interface on the Linux box,
> but when a colleague plugged in his laptop with Windows 7 on the same
> port it saw all the traffic that I would like to see, meaning IP-traffic
> from the monitored networks.
>
> So Windows 7 sees the traffic, but the Linux box running snort just sees
> weird multicast / SSAP / DSAP traffic. tcpdump does not show any IP
> traffic either. I know this is probably not a snort-question per se, but
> being snort-users list I think some of you guys might have som good
> insights to this behaviour, probably easy to fix but I just can't get it
> right now :( Any ideas on what I am doing wrong here?
>
>
> The interface is set in promiscuous mode:
>
> [root at ...16242... khalavak]# ifconfig eth1
> eth1      Link encap:Ethernet  HWaddr 00:14:5E:2A:34:85
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>           RX packets:3668068 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:628710729 (599.5 MiB)  TX bytes:0 (0.0 b)
>           Interrupt:16
>
> Snort sees only Ether and Other traffic:
>
> [root at ...16242... khalavak]# snort -i eth1
> Running in packet dump mode
>
>         --== Initializing Snort ==--
> Initializing Output Plugins!
> pcap DAQ configured to passive.
> Acquiring network traffic from "eth1".
> Decoding Ethernet
>
>         --== Initialization Complete ==--
>
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.9.4.1 GRE (Build 69)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>            Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>            Using libpcap version 1.0.0
>            Using PCRE version: 7.8 2008-09-05
>            Using ZLIB version: 1.2.3
>
> Commencing packet processing (pid=3644)
> ^C*** Caught Int-Signal
>
> ===============================================================================
> Run time for packet processing was 7.103551 seconds
> Snort processed 1354 packets.
> Snort ran for 0 days 0 hours 0 minutes 7 seconds
>    Pkts/sec:          193
>
> ===============================================================================
> Packet I/O Totals:
>    Received:         1354
>    Analyzed:         1354 (100.000%)
>     Dropped:            0 (  0.000%)
>    Filtered:            0 (  0.000%)
> Outstanding:            0 (  0.000%)
>    Injected:            0
>
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
>         Eth:         1354 (100.000%)
>        VLAN:            0 (  0.000%)
>         IP4:            0 (  0.000%)
>        Frag:            0 (  0.000%)
>        ICMP:            0 (  0.000%)
>         UDP:            0 (  0.000%)
>         TCP:            0 (  0.000%)
>         IP6:            0 (  0.000%)
>     IP6 Ext:            0 (  0.000%)
>    IP6 Opts:            0 (  0.000%)
>       Frag6:            0 (  0.000%)
>       ICMP6:            0 (  0.000%)
>        UDP6:            0 (  0.000%)
>        TCP6:            0 (  0.000%)
>      Teredo:            0 (  0.000%)
>     ICMP-IP:            0 (  0.000%)
>     IP4/IP4:            0 (  0.000%)
>     IP4/IP6:            0 (  0.000%)
>     IP6/IP4:            0 (  0.000%)
>     IP6/IP6:            0 (  0.000%)
>         GRE:            0 (  0.000%)
>     GRE Eth:            0 (  0.000%)
>    GRE VLAN:            0 (  0.000%)
>     GRE IP4:            0 (  0.000%)
>     GRE IP6:            0 (  0.000%)
> GRE IP6 Ext:            0 (  0.000%)
>    GRE PPTP:            0 (  0.000%)
>     GRE ARP:            0 (  0.000%)
>     GRE IPX:            0 (  0.000%)
>    GRE Loop:            0 (  0.000%)
>        MPLS:            0 (  0.000%)
>         ARP:            0 (  0.000%)
>         IPX:            0 (  0.000%)
>    Eth Loop:            0 (  0.000%)
>    Eth Disc:            0 (  0.000%)
>    IP4 Disc:            0 (  0.000%)
>    IP6 Disc:            0 (  0.000%)
>    TCP Disc:            0 (  0.000%)
>    UDP Disc:            0 (  0.000%)
>   ICMP Disc:            0 (  0.000%)
> All Discard:            0 (  0.000%)
>       Other:         1354 (100.000%)
> Bad Chk Sum:            0 (  0.000%)
>     Bad TTL:            0 (  0.000%)
>      S5 G 1:            0 (  0.000%)
>      S5 G 2:            0 (  0.000%)
>       Total:         1354
>
> ===============================================================================
> Snort exiting
>
> [root at ...16242... khalavak]
>
> Same with tcpdump, not seeing any IP-traffic just weird "Unknown SSAP"
> and "Null information" packets:
>
> [root at ...16242... khalavak]# tcpdump -nn  -i eth1
> tcpdump: WARNING: eth1: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
> 20:55:14.105981 00:10:db:fc:45:00 Unknown SSAP 0x26 > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
> length 60
> 20:55:14.106120 00:50:56:95:45:00 > 00:10:db:fc:40:05 Null Information,
> send seq 32, rcv seq 0, Flags [Command], length 60
> 20:55:14.106840 00:10:db:fc:45:00 Unknown SSAP 0x26 > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
> length 52
> 20:55:14.107173 00:10:db:fc:45:00 Unknown SSAP 0x28 > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
> length 191
> 20:55:14.107275 00:50:56:95:45:00 Unknown SSAP 0x3e > 00:10:db:fc:40:05
> Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Response],
> length 52
> 20:55:14.108298 00:50:56:95:45:00 Unknown SSAP 0x40 > 00:10:db:fc:40:05
> Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Command],
> length 138
> 20:55:14.108354 00:50:56:95:45:00 Unknown SSAP 0x40 > 00:10:db:fc:40:05
> Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Response],
> length 58
> 20:55:14.108423 00:50:56:95:45:00 STP > 00:10:db:fc:40:05 Unknown DSAP
> 0x78 Information, send seq 32, rcv seq 0, Flags [Command], length 89
> 20:55:14.109385 00:10:db:fc:45:00 Unknown SSAP 0x28 > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
> length 52
> 20:55:14.109395 00:10:db:fc:45:00 Unknown SSAP 0x2a > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
> length 52
> 20:55:14.109400 00:10:db:fc:45:00 Unknown SSAP 0x2a > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
> length 52
> 20:55:14.109488 00:10:db:fc:45:00 Unknown SSAP 0x2c > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
> length 95
> 20:55:14.109494 00:10:db:fc:45:00 Unknown SSAP 0x2c > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
> length 80
> 20:55:14.109567 00:50:56:95:45:00 STP > 00:10:db:fc:40:05 Unknown DSAP
> 0x78 Information, send seq 32, rcv seq 0, Flags [Response], length 52
> 20:55:14.110465 00:50:56:95:45:00 Unknown SSAP 0x44 > 00:10:db:fc:40:05
> Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Command],
> length 1206
> 20:55:14.110546 00:50:56:95:45:00 Unknown SSAP 0x44 > 00:10:db:fc:40:05
> Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Response],
> length 52
> 20:55:14.111141 00:10:db:fc:45:00 Unknown SSAP 0x2e > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
> length 52
> 20:55:14.111327 00:10:db:fc:45:00 Unknown SSAP 0x2e > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
> length 75
> 20:55:14.111338 00:10:db:fc:45:00 Unknown SSAP 0x30 > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
> length 52
> 20:55:14.111542 00:50:56:95:45:00 > 00:10:db:fc:40:05 Null Information,
> send seq 32, rcv seq 0, Flags [Command], length 46
> 20:55:14.111581 00:50:56:95:45:00 > 00:10:db:fc:40:05 Null Information,
> send seq 32, rcv seq 0, Flags [Command], length 46
> 20:55:14.119656 00:50:56:95:45:00 Unknown SSAP 0x44 > 00:50:56:95:20:64
> Unknown DSAP 0xb6 Information, send seq 32, rcv seq 0, Flags [Command],
> length 240
> ^C
> 22 packets captured
> 22 packets received by filter
> 0 packets dropped by kernel
> [root at ...16242... khalavak]#
>
> Best regards,
>
> Kim Halavakoski
>
> PGP S°: 0BFA A910 9AA7 94A5 A323  53F5 4151 4CE4 33BE 35FA
> kim.halavakoski at ...16241...
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130418/277d9d30/attachment.html>


More information about the Snort-users mailing list