Snort mailing list archives
Re: Snort not seeing IP-traffic, just Ether/Other
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 18 Apr 2013 12:52:17 -0600
On 2013-04-18 12:01, Kim.Halavakoski () Crosskey fi wrote:
Hello, I have setup a snort-sensor on a RedHat Linux box with traffic from a switch span-port feeding eth1 on the box. The traffic contains vlan-tagged traffic, if that makes any difference. The problem is that I am just getting some weird multicast / SSAP and DSAP encapsulated Ethernet frames on that interface on the Linux box, but when a colleague plugged in his laptop with Windows 7 on the same port it saw all the traffic that I would like to see, meaning IP-traffic from the monitored networks. So Windows 7 sees the traffic, but the Linux box running snort just sees weird multicast / SSAP / DSAP traffic. tcpdump does not show any IP traffic either. I know this is probably not a snort-question per se, but being snort-users list I think some of you guys might have som good insights to this behaviour, probably easy to fix but I just can't get it right now :( Any ideas on what I am doing wrong here?
Best regards, Kim Halavakoski
Doesn't seem like your span-port is working..you should at least see broadcast though...that's weird. Try setting your nic offloading (as root and with ethtool installed): ethtool -K eth1 rx off ethtool -K eth1 tx off ethtool -K eth1 sg off ethtool -K eth1 tso off ethtool -K eth1 gso off ethtool -K eth1 gro off Also, any VLAN action going on? James ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort Start up error, (continued)
- Message not available
- Re: Snort Start up error waldo kitty (Apr 18)
- Re: Snort Start up error beenph (Apr 18)
- Re: Snort Start up error Joel Esler (Apr 18)
- Message not available
- Message not available
- Message not available
- Re: Snort Start up error waldo kitty (Apr 18)
- Re: Snort Start up error Said Nurhussein (Apr 18)
- Re: Snort Start up error waldo kitty (Apr 18)
- Re: Snort Start up error Said Nurhussein (Apr 18)
- Re: Snort Start up error waldo kitty (Apr 19)
- Re: Snort not seeing IP-traffic, just Ether/Other Glenn Geller (Apr 18)
- Re: Snort not seeing IP-traffic, just Ether/Other James Lay (Apr 18)
- Re: Snort not seeing IP-traffic, just Ether/Other Kim.Halavakoski () Crosskey fi (Apr 18)
- Re: Snort not seeing IP-traffic, just Ether/Other Eoin Miller (Apr 18)
- Re: Snort not seeing IP-traffic, just Ether/Other Tony Robinson (Apr 18)
- Re: Snort not seeing IP-traffic, just Ether/Other Kim.Halavakoski () Crosskey fi (Apr 18)
- Message not available
- Re: Snort Start up error Said Nurhussein (Apr 19)