Snort mailing list archives
Re: IFACE -i any problem
From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Thu, 05 Jun 2003 00:23:47 +0200
Well it's working perfectly here. Don't know what you're doing wrong. It might be your kernel config. See if you have <*> Packet socket [*] Packet socket: mmapped IO ... [*] Socket Filtering active, but afaik the error log is different then, complaining that Snort is using the old socket (kernel version < 2.2, I think) for sniffing. You may have to load the module "af_packet" if you won't rebuild your kernel. Anyway, "-i any" is not realy wise, 'cause Snort will see your loopback traffic too. At least use it with "snort ... not host 127.0.0.1", to filter the lo traffic. Regards, Edin Marcus Robb wrote:
Hi, I'm sure this is an old issue, but I can't find a resolution. I've found posts that say libpcap has been able to listen on multiple interfaces for several versions now. I have a redhat 7.3 system with 5 nics, 4 of the nics cover multiple paths, 1 is a management interface. I only expect to capture packets on 2 of the promiscuous nics at any time. The IFACE=any option would be perfect for me. Snort 2.0 and the latest libpcap are both compiled from the latest stable sources. When I try to start snort with the -i any switch I have errors in /var/log/messages that say "modprobe can't find module any." Snort starts but then no longer sees traffic on any of the interfaces. If I start Snort on a single interface, say eth1, it works just fine. Can anyone point me in the right direction please. My searches keep turning up nada for a solution. Thanks
-- Edin Dizdarevic ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IFACE -i any problem Marcus Robb (Jun 04)
- Re: IFACE -i any problem Edin Dizdarevic (Jun 04)
- Re: IFACE -i any problem Edin Dizdarevic (Jun 04)