how to use expressions on a stealth interface

[Thomas Uczekaj <tuczek01 () freight fedex com>]

Hi -

I have setup an interface in stealth mode (no IP assigned to the interface, the switch port has been setup to do 
spanning so I can see all traffic on the subnet).  When I run snort in sniffer mode (snort -i intf1 -ve net 
10.67.2.0/24), the expression syntax to filter the data does not work.  It doesn't seem to recognize any of the data as 
normal IP.  However, when I run it without any expressions (snort -i intf1 -ve), statistics report back about pct's for 
TCP/UDP/.....etc).

Similarly, tcpdump cannot use expressions to filter the data.  Does anyone have an idea of using either of these tools 
to make this happen?

--
Thomas Uczekaj         -  (602) 685-3532
FedEx Freight System   -  Information Security
Email                  -  tom.uczekaj () freight fedex com
=======================================================



**********************************************************
This message contains information that is confidential
and proprietary to FedEx Freight or its affiliates.
It is intended only for the recipient named and for
the express purpose(s) described therein.
Any other use is prohibited.
****************************************************************



-------------------------------------------------------
This SF.net email is sponsored by:
The Definitive IT and Networking Event. Be There!
NetWorld+Interop Las Vegas 2003 -- Register today!
http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users