Re: Interface in promiscuous mode

[Robby Desmond <rdesmond () els ucsb edu>]

At 07:56 PM 11/20/2002 +0000, Helder Rocha wrote:

> Hello,
>
> I've installed the Snort and the SnortCenter but when I start the snort
> there are some info in my messages log file about the  promiscuous mode but
> when I enter the commam "ifconfig -a" the interface does not apears as
> PROMISC.
> Is this normal? Do I really need the PROMISC set in eth0 interface?

Yes.

> ...
> Nov 20 18:47:36 xpto kernel: device eth0 entered promiscuous mode
> Nov 20 18:47:36 xpto kernel: device eth0 left promiscuous mode
> Nov 20 18:47:36 xpto kernel: device eth0 entered promiscuous mode
> Nov 20 18:47:36 xpto snort: Initializing daemon mode
> Nov 20 18:47:36 xpto snort: PID path stat checked out ok, PID path set to
> /var/run/
> Nov 20 18:47:36 xpto snort: Writing PID "13562" to file
> "/var/run//snort_eth0.pid"
> Nov 20 18:47:36 xpto snort: Snort initialization completed successfully,
> Snort running


Since you don't get a "left promiscuous mode" line, I would think you're 
still running good.
Try using tcpdump to see if it's getting packets.


> My snort machine is connected to a Cisco switch with others servers. How can
> I catch all packets in the LAN even if the destination is not my snort
> machine?

Look on Cisco or in your documentation about SPAN ports.
-Robby

Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users