Snort mailing list archives
Re: Drop statistics and Cisco Catalyst 6500
From: "Dr. Richard W. Tibbs" <ccamp () oakcitysolutions com>
Date: Wed, 27 Mar 2002 21:33:05 -0500
Beggin' your pardon, but... (see inline) Crow, Owen wrote:
Snort captures packets "just above the link layer", thereby getting ARP & RARP. These are not IP packets. So depends on what you mean by 'analyze'. I can't really write a snort rule about ARP, I suppose, but I do get ARP counts. Just my 2cents.-----Original Message----- From: Rich Adamson [mailto:radamson () routers com] Sent: Wednesday, March 27, 2002 5:27 PM To: 'snort-users () lists sourceforge net' Cc: Crow, Owen Subject: Re: [Snort-users] Drop statistics and Cisco Catalyst 6500[Agree with and understand this edited stuff.]For the "packet counts", the cisco switch is basically a layer-2 device so it handles all protocols. Snort is TCP/IP based, and only counts packets "destined" for itself and then only IP packets. Total packets measured by Snort should be less than what the port statistics reflect on the Cisco. Also, Snort doesn't care about general broadcasts while the Cisco countsthose.Right, Snort only analyzes IP packets, but it does analyze broadcasts and
multicasts (especially on a LAN), too. There are at least a few experimental rules that use a destination of 255.255.255.255 (SNMP). I included the Cisco drop stat just because it was one of the few populated stats in the output. We're still left with the question of why Snort is seeing more packets than the Cisco. I forgot to include the command line before, sorry: /usr/sbin/snort -A fast -b -l /var/log/snort -d -D -u snort -g snort -i eth2 -c /etc/snort/snort.conf Thanks, Owen _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Drop statistics and Cisco Catalyst 6500 Crow, Owen (Mar 27)
- Re: Drop statistics and Cisco Catalyst 6500 Rich Adamson (Mar 27)
- <Possible follow-ups>
- RE: Drop statistics and Cisco Catalyst 6500 Crow, Owen (Mar 27)
- RE: Drop statistics and Cisco Catalyst 6500 Rich Adamson (Mar 27)
- Re: Drop statistics and Cisco Catalyst 6500 Dr. Richard W. Tibbs (Mar 27)
- RE: Drop statistics and Cisco Catalyst 6500 Madziarczyk, Jonathan (Mar 27)
- RE: Drop statistics and Cisco Catalyst 6500 Crow, Owen (Mar 27)