RE: Drop statistics and Cisco Catalyst 6500

["Crow, Owen" <Owen_Crow () bmc com>]

> -----Original Message-----
> From: Rich Adamson [mailto:radamson () routers com]
> Sent: Wednesday, March 27, 2002 5:27 PM
> To: 'snort-users () lists sourceforge net'
> Cc: Crow, Owen
> Subject: Re: [Snort-users] Drop statistics and Cisco Catalyst 6500
[Agree with and understand this edited stuff.]
> For the "packet counts", the cisco switch is basically a 
> layer-2 device
> so it handles all protocols. Snort is TCP/IP based, and only 
> counts packets
> "destined" for itself and then only IP packets. Total packets 
> measured by
> Snort should be less than what the port statistics reflect on 
> the Cisco.
> Also, Snort doesn't care about general broadcasts while the 
> Cisco counts
> those.

Right, Snort only analyzes IP packets, but it does analyze broadcasts and
multicasts (especially on a LAN), too.  There are at least a few
experimental rules that use a destination of 255.255.255.255 (SNMP).

I included the Cisco drop stat just because it was one of the few populated
stats in the output.

We're still left with the question of why Snort is seeing more packets than
the Cisco.

I forgot to include the command line before, sorry:
/usr/sbin/snort -A fast -b -l /var/log/snort -d -D -u snort -g snort -i eth2
-c /etc/snort/snort.conf

Thanks,
Owen

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users