Snort mailing list archives
RE: a lot of Loopback traffic being logged.
From: Milan Kocián <milon () wq cz>
Date: Sun, 25 Apr 2004 20:24:14 +0200
On Fri, 2004-04-23 at 19:23, Chuck Holley wrote:
Did you sniff for 127.0.0.1 packets? Im using tcpdump and I sniffed for a while with this command: tcpdump src 127.0.0.1 -s 1518 -i eth0 -w dump Im assuming im doing this right. Im trying to log only packets form 127.0.0.1 and log the whole Ethernet packet 1518 on interface eth0 and write to a file called dump. Now, I did this and got two loggings in tcpdump: 13:04:11.172652 IP hal2.http > 192.168.42.50.1361: R 0:0(0) ack 799408129 win 0 13:04:54.391786 IP hal2.http > 192.168.42.52.1196: R 0:0(0) ack 1316880385 win 0 hal2 is the server that has tcpdump on it. Is this machine one of the boxes that is sending out the 127.0.0.1, or did I simply pickup two packets sent out form hal2 to these other machines. I looked at snort and the exact same ip's, with the exact same ports were logged coming from 127.0.0.1 To say the least im confused even more!!
Hi, I see it on my external interface too. I used tcpdump with -e parameter to display MAC address of the sender. tcpdump -e -i eth1 src host 127.0.0.1 I find that MAC address of loopback packets is my ISP's Cisco switch. So all packets come from external network (I think). I am connected over wi-fi AP and when I sniffed, I have seen that these packets coming to most connected people in this AP. I don't know what it can be. Regards, Milan Kocian ------------------------------------------------------- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: a lot of Loopback traffic being logged., (continued)
- RE: a lot of Loopback traffic being logged. Harry Bloomberg (Apr 22)
- RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 22)
- Need configuration help Tinni (Apr 22)
- How to start snort for multiple servers' traffic Tinni (Apr 23)
- Re: How to start snort for multiple servers' traffic Edin Dizdarevic (Apr 23)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
- RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 23)
- RE: a lot of Loopback traffic being logged. Chuck Holley (Apr 23)
- RE: a lot of Loopback traffic being logged. Fred Portnoy (Apr 23)
- RE: a lot of Loopback traffic being logged. Milan Kocián (Apr 25)
- RE: a lot of Loopback traffic being logged. Alejandro Flores (May 27)
- RE: a lot of Loopback traffic being logged. rod (May 28)
- how to clean up database? Cesar (May 27)