[Snort-users] Snort not seeing IP-traffic, just Ether/Other
jlay at ...13475...
Thu Apr 18 14:52:17 EDT 2013
On 2013-04-18 12:01, Kim.Halavakoski at ...16243... wrote:
> I have setup a snort-sensor on a RedHat Linux box with traffic from a
> switch span-port feeding eth1 on the box. The traffic contains
> vlan-tagged traffic, if that makes any difference.
> The problem is that I am just getting some weird multicast / SSAP and
> DSAP encapsulated Ethernet frames on that interface on the Linux box,
> but when a colleague plugged in his laptop with Windows 7 on the same
> port it saw all the traffic that I would like to see, meaning
> from the monitored networks.
> So Windows 7 sees the traffic, but the Linux box running snort just
> weird multicast / SSAP / DSAP traffic. tcpdump does not show any IP
> traffic either. I know this is probably not a snort-question per se,
> being snort-users list I think some of you guys might have som good
> insights to this behaviour, probably easy to fix but I just can't get
> right now :( Any ideas on what I am doing wrong here?
> Best regards,
> Kim Halavakoski
Doesn't seem like your span-port is working..you should at least see
broadcast though...that's weird.
Try setting your nic offloading (as root and with ethtool installed):
ethtool -K eth1 rx off
ethtool -K eth1 tx off
ethtool -K eth1 sg off
ethtool -K eth1 tso off
ethtool -K eth1 gso off
ethtool -K eth1 gro off
Also, any VLAN action going on?
More information about the Snort-users