Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is there some problem w/ 3Com cards?

From: "Jason A. Haynes" <jahaynes () erols com>
Date: Sun, 15 Jul 2001 15:55:27 -0400 (EDT)
On Fri, 13 Jul 2001, Kiira Triea wrote:


A friend tells me 3Com cards have some problems - like dropping 
all malformed packets. I have bought a 3Com 3C900 XL because 
it is a PCI card and it has an AUI port. Anyone ever have any 
problems with this or cards like 3C509 and snort? 


Your friend is mostly correct. The majority of current NIC cards have
low-level logic built into the integrated circuits to "inspect"
incoming packets, and if that packet is corrupted, it will be dropped.
In most NIC cards, those dropped packets are not counted by any
sort of management logic, and promiscous mode has absolutely
nothing to do with whether you can "see" those damaged ethernet
packets or not.


Ok, that was the main point or question I am not so sure of - whether 
any of this affected promiscuous mode ability of the card. Thanks for
the help!


NICs will not have the level of comprehension snort does.  Snort will be
useful on any NIC, not just for content searches and port scans but wacky
TCP/IP flags and out of stream data.  The NIC's looking at the ethernet
header for errors, and probably doesn't error check the IP header much at
all, if any.  NICs are mostly a layer 1 device (OSI 7 layer networking
model).  Also, NICs shouldn't be keeping state info on whether or not to
expect an RST or SYN ACK packet on a particular port; that's the job of
the TCP/IP stacks (in your OS/kernel).

And.. I have yet to see a card which doesn't at least pretend to log
errors & dropped packets.  Maybe it doesn't log *all* of them, but check
ifconfig and netstat (unix) for which flags to use to check on your stats.  
Note the stats are usually cumulative since the last boot.  In Solaris the
undocumented 'ifconfig -k' does the most verbose; on my Linux it shows
dropped & error statistics by default.  netstat(1) is also fun; check it
out.

This shouldn't have anything to do with promiscuous mode, either.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: