Snort mailing list archives
Re: Centos 6.4, bnx2 in promiscuous mode does not see packets
From: Giles Coochey <giles () coochey net>
Date: Wed, 03 Jul 2013 10:34:31 +0100
On 02/07/2013 16:53, Y M wrote:
We had a PowerEdge server once with BCM57xx with bnx2 drivers and we had no issues at all, we were running Ubuntu server though. Do you have a spare NIC other than BCM, that you can stick in to the server and test with? Just an idea to eliminate the NIC factor.Actually, I checked the port mirror with a laptop and wireshark and found that it was reporting exactly the traffic that was being sent, it appears to be a limitation or interpretation of the port mirror feature on the Nortel 3510-24T (wish it was a Cisco!)
------------------------------------------------------------------------ Date: Tue, 2 Jul 2013 09:43:50 +0100 From: giles () coochey net To: snort-users () lists sourceforge netSubject: Re: [Snort-users] Centos 6.4, bnx2 in promiscuous mode does not see packetsOn 02/07/2013 09:16, Y M wrote: Couple of questions that may help troubleshoot the issue: 1. What kind of traffic you are forwarding? i.e.: VLAN tagged traffic? If yes, then you may need to enable VLAN support in Linux if not enabled already: modprobe 8021qIt isn't tagged traffic, but I tried loading the module, and found that I have the same issue.2. If you run Snort with -k none (for testing purposes), do you get all traffic?All I saw was 5 ARP packets... which is the same if I just run it without -k none3. If you disable NIC offloading functions such as tso, gro, etc., Does it make a difference? That's an idea, I used ethtool -K to disable what I could: [root@host ~]# ethtool -k eth1 Features for eth1: rx-checksumming: off tx-checksumming: off scatter-gather: off tcp-segmentation-offload: off udp-fragmentation-offload: off generic-segmentation-offload: off generic-receive-offload: off large-receive-offload: off rx-vlan-offload: on tx-vlan-offload: on ntuple-filters: off receive-hashing: offUnfortunately, I still get the same issue, I was wondering whether there is something specific with the Broadcom bnx2, would have thought there would be something documented about it as it is supposed to be quite common in Dell PowerEdge servers...This is what I can think of for now. May be someone in the list can help more. Thanks. YM ------------------------------------------------------------------------ Date: Tue, 2 Jul 2013 08:52:57 +0100 From: giles () coochey net <mailto:giles () coochey net> To: snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net> Subject: [Snort-users] Centos 6.4, bnx2 in promiscuous mode does not see packets Hi, I hope someone can help me, I cannot seem to get a system's ethernet interface to correctly work in promiscuous mode... I have a Centos 6.4 system with 2 bnx2 interfaces on it. I have set up eth1 in promiscuous mode and am sending traffic to it using the port mirroring configuration on a Nortel 3510-24T switch. The switch reports that it is sending a fair amount of traffic to the mirror port. However, within Centos 6.4, I only see broadcast traffic from the switch: [root@host eth1]# ifconfig eth1 eth1 Link encap:Ethernet HWaddr 00:19:B9:E2:30:AE UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:75 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4800 (4.6 KiB) TX bytes:0 (0.0 b) I have tried various options configuring eth1 via /etc/sysconfig/networking/devices/ifcfg-eth1 Currently it looks like this: DEVICE=eth1 BOOTPROTO=static HWADDR=00:19:B9:E2:30:AE #NM_CONTROLLED=no ONBOOT=yes TYPE=Ethernet #UUID="e753ec9b-fc35-4460-bcd1-87f26f8d1553" IPV6INIT=no USERCTL=no PROMISC=yes I have also tried to manually put the interface in promiscuous mode (as I think PROMISC=yes is deprecated): ifconfig eth1 promisc It shows as being in promiscuous mode via ifconfig... The relevant parks of bootup / system messages: bnx2: Broadcom NetXtreme II Gigabit Ethernet Driver bnx2 v2.2.3 (June 27, 2012) bnx2 0000:05:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16 bnx2 0000:05:00.0: firmware: requesting bnx2/bnx2-mips-06-6.2.3.fw bnx2 0000:05:00.0: firmware: requesting bnx2/bnx2-rv2p-06-6.0.15.fw bnx2 0000:05:00.0: eth0: Broadcom NetXtreme II BCM5708 1000Base-T (B2) PCI-X 64-bit 133MHz found at mem f8000000, IRQ 16, node addr 00:19:b9:e2:30:ac bnx2 0000:09:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16 bnx2 0000:09:00.0: firmware: requesting bnx2/bnx2-mips-06-6.2.3.fw bnx2 0000:09:00.0: firmware: requesting bnx2/bnx2-rv2p-06-6.0.15.fw bnx2 0000:09:00.0: eth1: Broadcom NetXtreme II BCM5708 1000Base-T (B2) PCI-X 64-bit 133MHz found at mem f4000000, IRQ 16, node addr 00:19:b9:e2:30:ae bnx2 0000:05:00.0: irq 95 for MSI/MSI-X bnx2 0000:05:00.0: eth0: using MSI bnx2 0000:05:00.0: eth0: NIC Copper Link is Up, 1000 Mbps full duplex bnx2 0000:09:00.0: irq 96 for MSI/MSI-X bnx2 0000:09:00.0: eth1: using MSI bnx2 0000:09:00.0: eth1: NIC Copper Link is Up, 1000 Mbps full duplex, receive & transmit flow control ON bnx2 0000:05:00.0: irq 95 for MSI/MSI-X bnx2 0000:05:00.0: eth0: using MSI bnx2 0000:05:00.0: eth0: NIC Copper Link is Up, 1000 Mbps full duplex bnx2 0000:09:00.0: irq 96 for MSI/MSI-X bnx2 0000:09:00.0: eth1: using MSI bnx2 0000:09:00.0: eth1: NIC Copper Link is Up, 1000 Mbps full duplex, receive & transmit flow control ON Does anyone have any ideas? Thanks Giles ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net <mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk giles () coochey net <mailto:giles () coochey net>------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk giles () coochey net
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Centos 6.4, bnx2 in promiscuous mode does not see packets Giles Coochey (Jul 02)
- Re: Centos 6.4, bnx2 in promiscuous mode does not see packets Y M (Jul 02)
- Re: Centos 6.4, bnx2 in promiscuous mode does not see packets Giles Coochey (Jul 02)
- Re: Centos 6.4, bnx2 in promiscuous mode does not see packets Y M (Jul 02)
- Re: Centos 6.4, bnx2 in promiscuous mode does not see packets Giles Coochey (Jul 03)
- Re: Centos 6.4, bnx2 in promiscuous mode does not see packets Giles Coochey (Jul 02)
- Re: Centos 6.4, bnx2 in promiscuous mode does not see packets Y M (Jul 02)