Snort mailing list archives
RE: Snort & multi-port ethernet cards
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Thu, 20 Jun 2002 11:09:34 -0400
That's a pretty good one. I've seen/heard-of similar problems on servers running Windows NT/2000, but never on anything running BSD. I'm running four instances on FreeBSD 4.5, one on-board NIC and two Intel Pro duals. Haven't tried a quad, although I think I have a Nokia quad laying around that I could try for kicks. I'm sure you've been through this already, but I assume that ifconfig is showing all interfaces up, messages is clean, dmesg shows all that all four are starting (or the rc.d script is succeeding, etc.? -----Original Message----- From: Tom Sevy [mailto:tsevy () epx com] Sent: Thursday, June 20, 2002 10:52 AM To: Snort-Users eMail List (E-mail) Subject: [Snort-users] Snort & multi-port ethernet cards Running various versions of snort, in the 1.8 range, I've tried to use two different multi-port ethernet adapters. One is an HP ANA-6944B/TX (Adaptec OEM'd to HP), 4 x 21140 and the other is a Znyx ZX346Q, 4 x 21143 Base systems: 1) Compaq Proliant 1850R 2x PIII cpu's, FreeBSD 4.4 & 4.5 versions 2) Compaq Proliant 1600R 2x PIII cpu's, RH Linux 7.3 In the various scenarios I have tried to use these cards, it seems that only one port at a time will actually return packets. Verified by running tcpdump on the different ports (ie., it's not just snort! the symptoms are seen as the same when trying to run two instances of tcpdump or two instances of snort. It is not external to the snort systems -- If I remove the quad card and through in distinct nic cards, then all is well. The problem appears to be that when the same driver is used for multiple NICS, only one of the NICS will function as necessary for snort. I would like to find a solution to this problem, as I have a couple of quad cards laying around, and using these I can have a single box monitoring many internal lan segments. Otherwise I have to request additional boxes as sensors. Hopefully someone else has seen/observed this, and might have a fix/work-around/solution.... ------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- Bringing you mounds of caffeinated joy >>> http://thinkgeek.com/sf <<< _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort & multi-port ethernet cards Tom Sevy (Jun 20)
- Re: Snort & multi-port ethernet cards Erek Adams (Jun 20)
- <Possible follow-ups>
- RE: Snort & multi-port ethernet cards McCammon, Keith (Jun 20)
- RE: Snort & multi-port ethernet cards larosa, vjay (Jun 20)