[Snort-users] Centos 6.4, bnx2 in promiscuous mode does not see packets

Giles Coochey giles at ...9346...
Tue Jul 2 04:43:50 EDT 2013


On 02/07/2013 09:16, Y M wrote:
> Couple of questions that may help troubleshoot the issue:
>
> 1. What kind of traffic you are forwarding? i.e.: VLAN tagged traffic?
>      If yes, then you may need to enable VLAN support in Linux if not 
> enabled already: modprobe 8021q

It isn't tagged traffic, but I tried loading the module, and found that 
I have the same issue.

> 2. If you run Snort with -k none (for testing purposes), do you get 
> all traffic?

All I saw was 5 ARP packets... which is the same if I just run it 
without -k none

> 3. If you disable NIC offloading functions such as tso, gro, etc., 
> Does it make a difference?

That's an idea, I used ethtool -K to disable what I could:

[root at ...780... ~]# ethtool -k eth1
Features for eth1:
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp-segmentation-offload: off
udp-fragmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off
receive-hashing: off

Unfortunately, I still get the same issue, I was wondering whether there 
is something specific with the Broadcom bnx2, would have thought there 
would be something documented about it as it is supposed to be quite 
common in Dell PowerEdge servers...

>
> This is what I can think of for now. May be someone in the list can 
> help more. Thanks.
>
> YM
>
> ------------------------------------------------------------------------
> Date: Tue, 2 Jul 2013 08:52:57 +0100
> From: giles at ...9346...
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Centos 6.4, bnx2 in promiscuous mode does not 
> see packets
>
> Hi,
>
> I hope someone can help me, I cannot seem to get a system's ethernet 
> interface to correctly work in promiscuous mode...
>
> I have a Centos 6.4 system with 2 bnx2 interfaces on it.
>
> I have set up eth1 in promiscuous mode and am sending traffic to it 
> using the port mirroring configuration on a Nortel 3510-24T switch.
> The switch reports that it is sending a fair amount of traffic to the 
> mirror port.
>
> However, within Centos 6.4, I only see broadcast traffic from the switch:
>
> [root at ...780... eth1]# ifconfig eth1
> eth1      Link encap:Ethernet  HWaddr 00:19:B9:E2:30:AE
>           UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500 Metric:1
>           RX packets:75 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:4800 (4.6 KiB)  TX bytes:0 (0.0 b)
>
> I have tried various options configuring eth1 via 
> /etc/sysconfig/networking/devices/ifcfg-eth1
>
> Currently it looks like this:
>
> DEVICE=eth1
> BOOTPROTO=static
> HWADDR=00:19:B9:E2:30:AE
> #NM_CONTROLLED=no
> ONBOOT=yes
> TYPE=Ethernet
> #UUID="e753ec9b-fc35-4460-bcd1-87f26f8d1553"
> IPV6INIT=no
> USERCTL=no
> PROMISC=yes
>
> I have also tried to manually put the interface in promiscuous mode 
> (as I think PROMISC=yes is deprecated):
>
> ifconfig eth1 promisc
>
> It shows as being in promiscuous mode via ifconfig...
>
> The relevant parks of bootup / system messages:
>
> bnx2: Broadcom NetXtreme II Gigabit Ethernet Driver bnx2 v2.2.3 (June 
> 27, 2012)
> bnx2 0000:05:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16
> bnx2 0000:05:00.0: firmware: requesting bnx2/bnx2-mips-06-6.2.3.fw
> bnx2 0000:05:00.0: firmware: requesting bnx2/bnx2-rv2p-06-6.0.15.fw
> bnx2 0000:05:00.0: eth0: Broadcom NetXtreme II BCM5708 1000Base-T (B2) 
> PCI-X 64-bit 133MHz found at mem f8000000, IRQ 16, node addr 
> 00:19:b9:e2:30:ac
> bnx2 0000:09:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16
> bnx2 0000:09:00.0: firmware: requesting bnx2/bnx2-mips-06-6.2.3.fw
> bnx2 0000:09:00.0: firmware: requesting bnx2/bnx2-rv2p-06-6.0.15.fw
> bnx2 0000:09:00.0: eth1: Broadcom NetXtreme II BCM5708 1000Base-T (B2) 
> PCI-X 64-bit 133MHz found at mem f4000000, IRQ 16, node addr 
> 00:19:b9:e2:30:ae
> bnx2 0000:05:00.0: irq 95 for MSI/MSI-X
> bnx2 0000:05:00.0: eth0: using MSI
> bnx2 0000:05:00.0: eth0: NIC Copper Link is Up, 1000 Mbps full duplex
> bnx2 0000:09:00.0: irq 96 for MSI/MSI-X
> bnx2 0000:09:00.0: eth1: using MSI
> bnx2 0000:09:00.0: eth1: NIC Copper Link is Up, 1000 Mbps full duplex, 
> receive & transmit flow control ON
> bnx2 0000:05:00.0: irq 95 for MSI/MSI-X
> bnx2 0000:05:00.0: eth0: using MSI
> bnx2 0000:05:00.0: eth0: NIC Copper Link is Up, 1000 Mbps full duplex
> bnx2 0000:09:00.0: irq 96 for MSI/MSI-X
> bnx2 0000:09:00.0: eth1: using MSI
> bnx2 0000:09:00.0: eth1: NIC Copper Link is Up, 1000 Mbps full duplex, 
> receive & transmit flow control ON
>
> Does anyone have any ideas?
>
> Thanks
>
> Giles
>
> ------------------------------------------------------------------------------ 
> This SF.net email is sponsored by Windows: Build for Windows Store. 
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________ Snort-users mailing 
> list Snort-users at lists.sourceforge.net Go to this URL to change user 
> options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
> list archive: 
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!


-- 
Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles at ...9346...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130702/cc5c7ae2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4968 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130702/cc5c7ae2/attachment.bin>


More information about the Snort-users mailing list