[Snort-users] Centos 6.4, bnx2 in promiscuous mode does not see packets

Giles Coochey giles at ...9346...
Wed Jul 3 05:34:31 EDT 2013


On 02/07/2013 16:53, Y M wrote:
> We had a PowerEdge server once with BCM57xx with bnx2 drivers and we 
> had no issues at all, we were running Ubuntu server though. Do you 
> have a spare NIC other than BCM,  that you can stick in to the server 
> and test with? Just an idea to eliminate the NIC factor.
>
Actually, I checked the port mirror with a laptop and wireshark and 
found that it was reporting exactly the traffic that was being sent, it 
appears to be a limitation or interpretation of the port mirror feature 
on the Nortel 3510-24T (wish it was a Cisco!)

>
> ------------------------------------------------------------------------
> Date: Tue, 2 Jul 2013 09:43:50 +0100
> From: giles at ...9346...
> To: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Centos 6.4, bnx2 in promiscuous mode does 
> not see packets
>
> On 02/07/2013 09:16, Y M wrote:
>
>     Couple of questions that may help troubleshoot the issue:
>
>     1. What kind of traffic you are forwarding? i.e.: VLAN tagged traffic?
>          If yes, then you may need to enable VLAN support in Linux if
>     not enabled already: modprobe 8021q
>
>
> It isn't tagged traffic, but I tried loading the module, and found 
> that I have the same issue.
>
>     2. If you run Snort with -k none (for testing purposes), do you
>     get all traffic?
>
>
> All I saw was 5 ARP packets... which is the same if I just run it 
> without -k none
>
>     3. If you disable NIC offloading functions such as tso, gro, etc.,
>     Does it make a difference?
>
>
> That's an idea, I used ethtool -K to disable what I could:
>
> [root at ...780... ~]# ethtool -k eth1
> Features for eth1:
> rx-checksumming: off
> tx-checksumming: off
> scatter-gather: off
> tcp-segmentation-offload: off
> udp-fragmentation-offload: off
> generic-segmentation-offload: off
> generic-receive-offload: off
> large-receive-offload: off
> rx-vlan-offload: on
> tx-vlan-offload: on
> ntuple-filters: off
> receive-hashing: off
>
> Unfortunately, I still get the same issue, I was wondering whether 
> there is something specific with the Broadcom bnx2, would have thought 
> there would be something documented about it as it is supposed to be 
> quite common in Dell PowerEdge servers...
>
>
>     This is what I can think of for now. May be someone in the
>     list can help more. Thanks.
>
>     YM
>
>     ------------------------------------------------------------------------
>     Date: Tue, 2 Jul 2013 08:52:57 +0100
>     From: giles at ...9346... <mailto:giles at ...9346...>
>     To: snort-users at lists.sourceforge.net
>     <mailto:snort-users at lists.sourceforge.net>
>     Subject: [Snort-users] Centos 6.4, bnx2 in promiscuous mode does
>     not see packets
>
>     Hi,
>
>     I hope someone can help me, I cannot seem to get a system's
>     ethernet interface to correctly work in promiscuous mode...
>
>     I have a Centos 6.4 system with 2 bnx2 interfaces on it.
>
>     I have set up eth1 in promiscuous mode and am sending traffic to
>     it using the port mirroring configuration on a Nortel 3510-24T
>     switch.
>     The switch reports that it is sending a fair amount of traffic to
>     the mirror port.
>
>     However, within Centos 6.4, I only see broadcast traffic from the
>     switch:
>
>     [root at ...780... eth1]# ifconfig eth1
>     eth1      Link encap:Ethernet  HWaddr 00:19:B9:E2:30:AE
>               UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500  Metric:1
>               RX packets:75 errors:0 dropped:0 overruns:0 frame:0
>               TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>               collisions:0 txqueuelen:1000
>               RX bytes:4800 (4.6 KiB)  TX bytes:0 (0.0 b)
>
>     I have tried various options configuring eth1 via
>     /etc/sysconfig/networking/devices/ifcfg-eth1
>
>     Currently it looks like this:
>
>     DEVICE=eth1
>     BOOTPROTO=static
>     HWADDR=00:19:B9:E2:30:AE
>     #NM_CONTROLLED=no
>     ONBOOT=yes
>     TYPE=Ethernet
>     #UUID="e753ec9b-fc35-4460-bcd1-87f26f8d1553"
>     IPV6INIT=no
>     USERCTL=no
>     PROMISC=yes
>
>     I have also tried to manually put the interface in promiscuous
>     mode (as I think PROMISC=yes is deprecated):
>
>     ifconfig eth1 promisc
>
>     It shows as being in promiscuous mode via ifconfig...
>
>     The relevant parks of bootup / system messages:
>
>     bnx2: Broadcom NetXtreme II Gigabit Ethernet Driver bnx2 v2.2.3
>     (June 27, 2012)
>     bnx2 0000:05:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16
>     bnx2 0000:05:00.0: firmware: requesting bnx2/bnx2-mips-06-6.2.3.fw
>     bnx2 0000:05:00.0: firmware: requesting bnx2/bnx2-rv2p-06-6.0.15.fw
>     bnx2 0000:05:00.0: eth0: Broadcom NetXtreme II BCM5708 1000Base-T
>     (B2) PCI-X 64-bit 133MHz found at mem f8000000, IRQ 16, node addr
>     00:19:b9:e2:30:ac
>     bnx2 0000:09:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16
>     bnx2 0000:09:00.0: firmware: requesting bnx2/bnx2-mips-06-6.2.3.fw
>     bnx2 0000:09:00.0: firmware: requesting bnx2/bnx2-rv2p-06-6.0.15.fw
>     bnx2 0000:09:00.0: eth1: Broadcom NetXtreme II BCM5708 1000Base-T
>     (B2) PCI-X 64-bit 133MHz found at mem f4000000, IRQ 16, node addr
>     00:19:b9:e2:30:ae
>     bnx2 0000:05:00.0: irq 95 for MSI/MSI-X
>     bnx2 0000:05:00.0: eth0: using MSI
>     bnx2 0000:05:00.0: eth0: NIC Copper Link is Up, 1000 Mbps full duplex
>     bnx2 0000:09:00.0: irq 96 for MSI/MSI-X
>     bnx2 0000:09:00.0: eth1: using MSI
>     bnx2 0000:09:00.0: eth1: NIC Copper Link is Up, 1000 Mbps full
>     duplex, receive & transmit flow control ON
>     bnx2 0000:05:00.0: irq 95 for MSI/MSI-X
>     bnx2 0000:05:00.0: eth0: using MSI
>     bnx2 0000:05:00.0: eth0: NIC Copper Link is Up, 1000 Mbps full duplex
>     bnx2 0000:09:00.0: irq 96 for MSI/MSI-X
>     bnx2 0000:09:00.0: eth1: using MSI
>     bnx2 0000:09:00.0: eth1: NIC Copper Link is Up, 1000 Mbps full
>     duplex, receive & transmit flow control ON
>
>     Does anyone have any ideas?
>
>     Thanks
>
>     Giles
>
>     ------------------------------------------------------------------------------
>     This SF.net email is sponsored by Windows: Build for Windows
>     Store. http://p.sf.net/sfu/windows-dev2dev
>     _______________________________________________ Snort-users
>     mailing list Snort-users at lists.sourceforge.net
>     <mailto:Snort-users at lists.sourceforge.net> Go to this URL to
>     change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users list archive:
>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please
>     visit http://blog.snort.org to stay current on all the latest
>     Snort news!
>
>
>
> -- 
> Regards,
>
> Giles Coochey, CCNP, CCNA, CCNAS
> NetSecSpec Ltd
> +44 (0) 7983 877438
> http://www.coochey.net
> http://www.netsecspec.co.uk
> giles at ...9346...  <mailto:giles at ...9346...>
>
> ------------------------------------------------------------------------------ 
> This SF.net email is sponsored by Windows: Build for Windows Store. 
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________ Snort-users mailing 
> list Snort-users at lists.sourceforge.net Go to this URL to change user 
> options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users 
> list archive: 
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users 
> Please visit http://blog.snort.org to stay current on all the latest 
> Snort news!


-- 
Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles at ...9346...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130703/c8c0cefd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4968 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130703/c8c0cefd/attachment.bin>


More information about the Snort-users mailing list