[Snort-users] Snort not seeing IP-traffic, just Ether/Other

Michal Purzynski michal at ...16244...
Thu Apr 18 14:45:19 EDT 2013


Are you running SO in a VM of any kind?

Is the ifconfig output on the sniffing interface growing as it should be?

On 4/18/13 8:01 PM, Kim.Halavakoski at ...16243... wrote:
> Hello,
> I have setup a snort-sensor on a RedHat Linux box with traffic from a
> switch span-port feeding eth1 on the box. The traffic contains
> vlan-tagged traffic, if that makes any difference.
>
> The problem is that I am just getting some weird multicast / SSAP and
> DSAP encapsulated Ethernet frames on that interface on the Linux box,
> but when a colleague plugged in his laptop with Windows 7 on the same
> port it saw all the traffic that I would like to see, meaning IP-traffic
> from the monitored networks.
>
> So Windows 7 sees the traffic, but the Linux box running snort just sees
> weird multicast / SSAP / DSAP traffic. tcpdump does not show any IP
> traffic either. I know this is probably not a snort-question per se, but
> being snort-users list I think some of you guys might have som good
> insights to this behaviour, probably easy to fix but I just can't get it
> right now :( Any ideas on what I am doing wrong here?
>
>
> The interface is set in promiscuous mode:
>
> [root at ...16242... khalavak]# ifconfig eth1
> eth1      Link encap:Ethernet  HWaddr 00:14:5E:2A:34:85
>            UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
>            RX packets:3668068 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:1000
>            RX bytes:628710729 (599.5 MiB)  TX bytes:0 (0.0 b)
>            Interrupt:16
>
> Snort sees only Ether and Other traffic:
>
> [root at ...16242... khalavak]# snort -i eth1
> Running in packet dump mode
>
>          --== Initializing Snort ==--
> Initializing Output Plugins!
> pcap DAQ configured to passive.
> Acquiring network traffic from "eth1".
> Decoding Ethernet
>
>          --== Initialization Complete ==--
>
>     ,,_     -*> Snort! <*-
>    o"  )~   Version 2.9.4.1 GRE (Build 69)
>     ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/snort/snort-team
>             Copyright (C) 1998-2013 Sourcefire, Inc., et al.
>             Using libpcap version 1.0.0
>             Using PCRE version: 7.8 2008-09-05
>             Using ZLIB version: 1.2.3
>
> Commencing packet processing (pid=3644)
> ^C*** Caught Int-Signal
> ===============================================================================
> Run time for packet processing was 7.103551 seconds
> Snort processed 1354 packets.
> Snort ran for 0 days 0 hours 0 minutes 7 seconds
>     Pkts/sec:          193
> ===============================================================================
> Packet I/O Totals:
>     Received:         1354
>     Analyzed:         1354 (100.000%)
>      Dropped:            0 (  0.000%)
>     Filtered:            0 (  0.000%)
> Outstanding:            0 (  0.000%)
>     Injected:            0
> ===============================================================================
> Breakdown by protocol (includes rebuilt packets):
>          Eth:         1354 (100.000%)
>         VLAN:            0 (  0.000%)
>          IP4:            0 (  0.000%)
>         Frag:            0 (  0.000%)
>         ICMP:            0 (  0.000%)
>          UDP:            0 (  0.000%)
>          TCP:            0 (  0.000%)
>          IP6:            0 (  0.000%)
>      IP6 Ext:            0 (  0.000%)
>     IP6 Opts:            0 (  0.000%)
>        Frag6:            0 (  0.000%)
>        ICMP6:            0 (  0.000%)
>         UDP6:            0 (  0.000%)
>         TCP6:            0 (  0.000%)
>       Teredo:            0 (  0.000%)
>      ICMP-IP:            0 (  0.000%)
>      IP4/IP4:            0 (  0.000%)
>      IP4/IP6:            0 (  0.000%)
>      IP6/IP4:            0 (  0.000%)
>      IP6/IP6:            0 (  0.000%)
>          GRE:            0 (  0.000%)
>      GRE Eth:            0 (  0.000%)
>     GRE VLAN:            0 (  0.000%)
>      GRE IP4:            0 (  0.000%)
>      GRE IP6:            0 (  0.000%)
> GRE IP6 Ext:            0 (  0.000%)
>     GRE PPTP:            0 (  0.000%)
>      GRE ARP:            0 (  0.000%)
>      GRE IPX:            0 (  0.000%)
>     GRE Loop:            0 (  0.000%)
>         MPLS:            0 (  0.000%)
>          ARP:            0 (  0.000%)
>          IPX:            0 (  0.000%)
>     Eth Loop:            0 (  0.000%)
>     Eth Disc:            0 (  0.000%)
>     IP4 Disc:            0 (  0.000%)
>     IP6 Disc:            0 (  0.000%)
>     TCP Disc:            0 (  0.000%)
>     UDP Disc:            0 (  0.000%)
>    ICMP Disc:            0 (  0.000%)
> All Discard:            0 (  0.000%)
>        Other:         1354 (100.000%)
> Bad Chk Sum:            0 (  0.000%)
>      Bad TTL:            0 (  0.000%)
>       S5 G 1:            0 (  0.000%)
>       S5 G 2:            0 (  0.000%)
>        Total:         1354
> ===============================================================================
> Snort exiting
>
> [root at ...16242... khalavak]
>
> Same with tcpdump, not seeing any IP-traffic just weird "Unknown SSAP"
> and "Null information" packets:
>
> [root at ...16242... khalavak]# tcpdump -nn  -i eth1
> tcpdump: WARNING: eth1: no IPv4 address assigned
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
> 20:55:14.105981 00:10:db:fc:45:00 Unknown SSAP 0x26 > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
> length 60
> 20:55:14.106120 00:50:56:95:45:00 > 00:10:db:fc:40:05 Null Information,
> send seq 32, rcv seq 0, Flags [Command], length 60
> 20:55:14.106840 00:10:db:fc:45:00 Unknown SSAP 0x26 > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
> length 52
> 20:55:14.107173 00:10:db:fc:45:00 Unknown SSAP 0x28 > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
> length 191
> 20:55:14.107275 00:50:56:95:45:00 Unknown SSAP 0x3e > 00:10:db:fc:40:05
> Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Response],
> length 52
> 20:55:14.108298 00:50:56:95:45:00 Unknown SSAP 0x40 > 00:10:db:fc:40:05
> Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Command],
> length 138
> 20:55:14.108354 00:50:56:95:45:00 Unknown SSAP 0x40 > 00:10:db:fc:40:05
> Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Response],
> length 58
> 20:55:14.108423 00:50:56:95:45:00 STP > 00:10:db:fc:40:05 Unknown DSAP
> 0x78 Information, send seq 32, rcv seq 0, Flags [Command], length 89
> 20:55:14.109385 00:10:db:fc:45:00 Unknown SSAP 0x28 > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
> length 52
> 20:55:14.109395 00:10:db:fc:45:00 Unknown SSAP 0x2a > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
> length 52
> 20:55:14.109400 00:10:db:fc:45:00 Unknown SSAP 0x2a > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
> length 52
> 20:55:14.109488 00:10:db:fc:45:00 Unknown SSAP 0x2c > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
> length 95
> 20:55:14.109494 00:10:db:fc:45:00 Unknown SSAP 0x2c > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
> length 80
> 20:55:14.109567 00:50:56:95:45:00 STP > 00:10:db:fc:40:05 Unknown DSAP
> 0x78 Information, send seq 32, rcv seq 0, Flags [Response], length 52
> 20:55:14.110465 00:50:56:95:45:00 Unknown SSAP 0x44 > 00:10:db:fc:40:05
> Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Command],
> length 1206
> 20:55:14.110546 00:50:56:95:45:00 Unknown SSAP 0x44 > 00:10:db:fc:40:05
> Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Response],
> length 52
> 20:55:14.111141 00:10:db:fc:45:00 Unknown SSAP 0x2e > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
> length 52
> 20:55:14.111327 00:10:db:fc:45:00 Unknown SSAP 0x2e > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
> length 75
> 20:55:14.111338 00:10:db:fc:45:00 Unknown SSAP 0x30 > 00:50:56:95:20:66
> Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
> length 52
> 20:55:14.111542 00:50:56:95:45:00 > 00:10:db:fc:40:05 Null Information,
> send seq 32, rcv seq 0, Flags [Command], length 46
> 20:55:14.111581 00:50:56:95:45:00 > 00:10:db:fc:40:05 Null Information,
> send seq 32, rcv seq 0, Flags [Command], length 46
> 20:55:14.119656 00:50:56:95:45:00 Unknown SSAP 0x44 > 00:50:56:95:20:64
> Unknown DSAP 0xb6 Information, send seq 32, rcv seq 0, Flags [Command],
> length 240
> ^C
> 22 packets captured
> 22 packets received by filter
> 0 packets dropped by kernel
> [root at ...16242... khalavak]#
>
> Best regards,
>
> Kim Halavakoski
>
> PGP S°: 0BFA A910 9AA7 94A5 A323  53F5 4151 4CE4 33BE 35FA
> kim.halavakoski at ...16241...
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list