[Snort-users] Snort not seeing IP-traffic, just Ether/Other

James Lay jlay at ...13475...
Thu Apr 18 14:52:17 EDT 2013


On 2013-04-18 12:01, Kim.Halavakoski at ...16243... wrote:
> Hello,
> I have setup a snort-sensor on a RedHat Linux box with traffic from a
> switch span-port feeding eth1 on the box. The traffic contains
> vlan-tagged traffic, if that makes any difference.
>
> The problem is that I am just getting some weird multicast / SSAP and
> DSAP encapsulated Ethernet frames on that interface on the Linux box,
> but when a colleague plugged in his laptop with Windows 7 on the same
> port it saw all the traffic that I would like to see, meaning 
> IP-traffic
> from the monitored networks.
>
> So Windows 7 sees the traffic, but the Linux box running snort just 
> sees
> weird multicast / SSAP / DSAP traffic. tcpdump does not show any IP
> traffic either. I know this is probably not a snort-question per se, 
> but
> being snort-users list I think some of you guys might have som good
> insights to this behaviour, probably easy to fix but I just can't get 
> it
> right now :( Any ideas on what I am doing wrong here?

>
> Best regards,
>
> Kim Halavakoski
>
Doesn't seem like your span-port is working..you should at least see 
broadcast though...that's weird.

Try setting your nic offloading (as root and with ethtool installed):

ethtool -K eth1 rx off
ethtool -K eth1 tx off
ethtool -K eth1 sg off
ethtool -K eth1 tso off
ethtool -K eth1 gso off
ethtool -K eth1 gro off

Also, any VLAN action going on?

James




More information about the Snort-users mailing list