Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Centos 6.4, bnx2 in promiscuous mode does not see packets

From: Giles Coochey <giles () coochey net>
Date: Wed, 03 Jul 2013 10:34:31 +0100
On 02/07/2013 16:53, Y M wrote:
We had a PowerEdge server once with BCM57xx with bnx2 drivers and we had no issues at all, we were running Ubuntu server though. Do you have a spare NIC other than BCM, that you can stick in to the server and test with? Just an idea to eliminate the NIC factor.
Actually, I checked the port mirror with a laptop and wireshark and found that it was reporting exactly the traffic that was being sent, it appears to be a limitation or interpretation of the port mirror feature on the Nortel 3510-24T (wish it was a Cisco!) 



------------------------------------------------------------------------
Date: Tue, 2 Jul 2013 09:43:50 +0100
From: giles () coochey net
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Centos 6.4, bnx2 in promiscuous mode does not see packets 

On 02/07/2013 09:16, Y M wrote:

    Couple of questions that may help troubleshoot the issue:

    1. What kind of traffic you are forwarding? i.e.: VLAN tagged traffic?
         If yes, then you may need to enable VLAN support in Linux if
    not enabled already: modprobe 8021q
It isn't tagged traffic, but I tried loading the module, and found that I have the same issue. 

    2. If you run Snort with -k none (for testing purposes), do you
    get all traffic?
All I saw was 5 ARP packets... which is the same if I just run it without -k none 

    3. If you disable NIC offloading functions such as tso, gro, etc.,
    Does it make a difference?


That's an idea, I used ethtool -K to disable what I could:

[root@host ~]# ethtool -k eth1
Features for eth1:
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp-segmentation-offload: off
udp-fragmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off
receive-hashing: off
Unfortunately, I still get the same issue, I was wondering whether there is something specific with the Broadcom bnx2, would have thought there would be something documented about it as it is supposed to be quite common in Dell PowerEdge servers... 


    This is what I can think of for now. May be someone in the
    list can help more. Thanks.

    YM

    ------------------------------------------------------------------------
    Date: Tue, 2 Jul 2013 08:52:57 +0100
    From: giles () coochey net <mailto:giles () coochey net>
    To: snort-users () lists sourceforge net
    <mailto:snort-users () lists sourceforge net>
    Subject: [Snort-users] Centos 6.4, bnx2 in promiscuous mode does
    not see packets

    Hi,

    I hope someone can help me, I cannot seem to get a system's
    ethernet interface to correctly work in promiscuous mode...

    I have a Centos 6.4 system with 2 bnx2 interfaces on it.

    I have set up eth1 in promiscuous mode and am sending traffic to
    it using the port mirroring configuration on a Nortel 3510-24T
    switch.
    The switch reports that it is sending a fair amount of traffic to
    the mirror port.

    However, within Centos 6.4, I only see broadcast traffic from the
    switch:

    [root@host eth1]# ifconfig eth1
    eth1      Link encap:Ethernet  HWaddr 00:19:B9:E2:30:AE
              UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500  Metric:1
              RX packets:75 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:4800 (4.6 KiB)  TX bytes:0 (0.0 b)

    I have tried various options configuring eth1 via
    /etc/sysconfig/networking/devices/ifcfg-eth1

    Currently it looks like this:

    DEVICE=eth1
    BOOTPROTO=static
    HWADDR=00:19:B9:E2:30:AE
    #NM_CONTROLLED=no
    ONBOOT=yes
    TYPE=Ethernet
    #UUID="e753ec9b-fc35-4460-bcd1-87f26f8d1553"
    IPV6INIT=no
    USERCTL=no
    PROMISC=yes

    I have also tried to manually put the interface in promiscuous
    mode (as I think PROMISC=yes is deprecated):

    ifconfig eth1 promisc

    It shows as being in promiscuous mode via ifconfig...

    The relevant parks of bootup / system messages:

    bnx2: Broadcom NetXtreme II Gigabit Ethernet Driver bnx2 v2.2.3
    (June 27, 2012)
    bnx2 0000:05:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16
    bnx2 0000:05:00.0: firmware: requesting bnx2/bnx2-mips-06-6.2.3.fw
    bnx2 0000:05:00.0: firmware: requesting bnx2/bnx2-rv2p-06-6.0.15.fw
    bnx2 0000:05:00.0: eth0: Broadcom NetXtreme II BCM5708 1000Base-T
    (B2) PCI-X 64-bit 133MHz found at mem f8000000, IRQ 16, node addr
    00:19:b9:e2:30:ac
    bnx2 0000:09:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ 16
    bnx2 0000:09:00.0: firmware: requesting bnx2/bnx2-mips-06-6.2.3.fw
    bnx2 0000:09:00.0: firmware: requesting bnx2/bnx2-rv2p-06-6.0.15.fw
    bnx2 0000:09:00.0: eth1: Broadcom NetXtreme II BCM5708 1000Base-T
    (B2) PCI-X 64-bit 133MHz found at mem f4000000, IRQ 16, node addr
    00:19:b9:e2:30:ae
    bnx2 0000:05:00.0: irq 95 for MSI/MSI-X
    bnx2 0000:05:00.0: eth0: using MSI
    bnx2 0000:05:00.0: eth0: NIC Copper Link is Up, 1000 Mbps full duplex
    bnx2 0000:09:00.0: irq 96 for MSI/MSI-X
    bnx2 0000:09:00.0: eth1: using MSI
    bnx2 0000:09:00.0: eth1: NIC Copper Link is Up, 1000 Mbps full
    duplex, receive & transmit flow control ON
    bnx2 0000:05:00.0: irq 95 for MSI/MSI-X
    bnx2 0000:05:00.0: eth0: using MSI
    bnx2 0000:05:00.0: eth0: NIC Copper Link is Up, 1000 Mbps full duplex
    bnx2 0000:09:00.0: irq 96 for MSI/MSI-X
    bnx2 0000:09:00.0: eth1: using MSI
    bnx2 0000:09:00.0: eth1: NIC Copper Link is Up, 1000 Mbps full
    duplex, receive & transmit flow control ON

    Does anyone have any ideas?

    Thanks

    Giles

    ------------------------------------------------------------------------------
    This SF.net email is sponsored by Windows: Build for Windows
    Store. http://p.sf.net/sfu/windows-dev2dev
    _______________________________________________ Snort-users
    mailing list Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net> Go to this URL to
    change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please
    visit http://blog.snort.org to stay current on all the latest
    Snort news!



--
Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles () coochey net  <mailto:giles () coochey net>
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! 


--
Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles () coochey net

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: