Snort mailing list archives
Re: Re: Snort & Acid
From: Erek Adams <erek () snort org>
Date: Wed, 21 May 2003 10:02:36 -0400 (EDT)
On Tue, 20 May 2003 Colin.Slevin () transwareplc com wrote:
I am having another problem , I have two network cards on my machine one for sniffing and on for normal network activity . When I type snort -W I get these two NIC cards which are correct . But the card I want to sniff is the second but snort is using the first even when I specify the second in the snort .conf .
Well... With out knowing how you're starting Snort or what you have in your snort.conf file, I'm guessing... Snort can only sniff on one interface at a time. You'll have to run two instances if you want to sniff on two different cards. If you have the -i <interface> parameter usee on the command line it will override anything set in the snort.conf. So try starting with -i 2 instead of -i 1 and having the second interface in the snort.conf file. Is the second interface connected to a DSL or Cable modem? If it's any type of NDIS link then you're out of luck as the current versions of Winpcap no longer support dialup adapters.
What do I do to change the situation . I know that one should be in promiscious mode but all traffic seems to be directed through this card .
I'm sorry, but that doesn't make much sense. 'This card?' _Which_ card are you talking about? What do you mean by 'all traffic?'
I using snort on Win2k with mysql and acid and obviously php. \Device\NPF_{37B8DFB9-9F3C-4585-BF8C-F65A3422564B} (Intel 8255x-based Integrated Fast Ethernet) normal traffic (IP 10.0.0.46) \Device\NPF_{185E1F8A-0E33-4774-9193-076063E4A164} (Compac Ethernet/FastEthernet or Gigabit NIC) promiscious mode (IP 10.0.0.47) I don't think that this should have an IP address so if you can also tell me how to get this to sniff without an IP address that would great too ...
Check the 2.0 FAQ, #3.1 The 2.0 FAQ is located in the /doc directory of the tarball. Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: ObjectStore. If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort & Acid Colin . Slevin (May 21)
- Re: Re: Snort & Acid Erek Adams (May 21)
- <Possible follow-ups>
- Snort & Acid Colin . Slevin (May 21)
- Snort & Acid Colin . Slevin (May 21)
- Re: Snort & Acid Erek Adams (May 21)
- Re: Snort & Acid Colin . Slevin (May 22)
- Re: Snort & Acid Erek Adams (May 21)
- Re: Snort & Acid Colin . Slevin (May 22)