[Snort-users] AF_Packet module

Long, Kerry S kslong at ...312...
Fri Feb 28 13:54:33 EST 2014

I am experimenting with AF_Packet DAQ module.  Fully understand it is intended to be used to provide an inline FW capability/IPS.  What I was wondering is if it is possible to get AF_PACKET to forward the same traffic it saw on one interface to another interface so a program like Wireshark could sniff from the second interface and see all the traffic that was being seen by the first interface?

So if I use the command:

/usr/bin/snort --daq afpacket --daq-dir /lib/daq --daq-var buffer_size_mb=500 -i p10p1:p10p2  -c /etc/snort/snort.conf

It is possible to sniff the second interface by using tcpdump -I p10p2 and see all the traffic on p10p1.  Is there a way to do this with Snort I am unaware of?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140228/82ec86dc/attachment.html>

More information about the Snort-users mailing list