Snort mailing list archives

Re: What NICs are people using?

From: Terence Runge <terencerunge () sbcglobal net>
Date: Fri, 02 May 2003 11:20:06 -0700

I use Dell Optiplex GX 260's in the test lab. If you go this route andwant to continue with RedHat, you will want to install RH 8, kernel2.4.18-27.8.0. These optiplex use the full size nic, have two availableslots, and one onboard nic you can use as a control port. These haveheld up fairly well. Regarding the dual or four port nic, I can notverify that you will be without issues.

Most recently, however, I did have success with a Dell Power Edge 2550and an Intel dual port nic using the default drivers off the RH 8 distro.


-Terence

Gordon Cunningham wrote:

Thanks Terrence, we'll probably have to use Dell workstation-class systems
due to cost factors.  I have used Intel dual-port cards in the past, but not
under Linux.


- Gordon

"The software said it requires Windows 98 or better, so I installed
Linux..."

-----Original Message-----
From:   Terence Runge [mailto:terencerunge () sbcglobal net]
Sent:   Friday, May 02, 2003 1:44 PM
To:     gcunnin2 () bellsouth net
Cc:     snort-users () lists sourceforge net
Subject:        Re: [Snort-users] What NICs are people using?

Have you tried this on a Compaq DL380 with dual ports nics? I have this
set up in multiple locations and have not experienced any driver
conflicts. This is a RedHat 7.2 build with the Compaq drivers.

http://h18007.www1.hp.com/support/files/server/us/locate/86_1342.html

It looks like these have been upgraded as of April 23, 2003, so I can't
directly tell you if they will work. The e100-2.1.29 drivers worked with
the following Intel network adapters:

82558       PRO/100+ Dual Port Server Adapter       714303-xxx,
711269-xxx,  A28276-xxx
82550       PRO/100 S Dual Port Server Adapter      A56831-xxx

Following is some information from Compaq that might help.

-Terence

============
For the build to work properly it is important that the currently
running kernel MATCH the version and configuration of the installed
kernel source. If you have just recompiled your kernel, reboot the
system and choose the correct kernel to boot.

1. Move the base driver tar file to the directory of your choice. For
example, use: /home/username/e100 or /usr/local/src/e100.

2. Untar/unzip the archive by entering the following, where <x.x.x> is
the version number for the driver tar:
    tar xfz e100-<x.x.x>.tar.gz

3. Change to the driver src directory by entering the following, where
<x.x.x> is the version number for the driver tar:
    cd e100-<x.x.x>/src/

4. Compile the driver module:
    make install

  The binary will be installed as one of the following:
    /lib/modules/<kernel_version>/kernel/drivers/net/e100.o
    /lib/modules/<kernel_version>/net/e100.o

  The install locations listed above are the default locations. They
may  not be correct for certain Linux distributions. For more
information, see the ldistrib.txt file included in the driver tar.

5. Install the module:
    insmod e100 <parameter>=<value>

6. Assign an IP address to the interface by entering the following,
where <x> is the interface number:
    ifconfig eth<x> <IP_address>

7. Verify that the interface works. Enter the following, where
<IP_address> is the IP address for another machine on the same subnet as
the interface that is being tested:
    ping <IP_address>

 Due to the ARP behavior on Linux, it is not possible to have one
system on two IP networks in the same Ethernet broadcast domain
(non-partitioned switch) behave as expected. All Ethernet interfaces
will respond to IP traffic for any IP address assigned to the system.
This results in unbalanced receive traffic.

 When this occurs, transmits and receives for a single conversation can
be split across different network interfaces. Additionally, the server
might have up to twice as much transmit capacity as receive capacity,
which can result in the receive side being overrun and dropping receives.

 If you have multiple interfaces in a server, install them in different
switches or partition the switch into VLANs to prevent broadcast traffic
from going to the wrong interface. This does not apply when using a
teaming solution, like ANS.
========

Gordon Cunningham wrote:

Situation:  RedHat (choice of version, 7.3+), snort, multiple segments to
monitor (up to 4), barnyard, MySQL, Webmin, etc.

RedHat says the use of multiple same-chipset Intel Pro100 NICs won't work
due to a bug in the driver. I need to find a solution to support up to 4
sniffing promiscuous Ethernet ports - 2 dual-port NICs or single 4-port?

Q:  What brand/model of multiple NICs are you using to support sniffing up
to 4 segments (5th separate NIC for management interface) on RedHat

systems?

Q:  Do the dual- or multi-port NICs work?

Q:  Should I move to another OS?


Didn't find much in the archives...  Thanks.


- Gordon

Loved this so much I ripped it:  "The software said it requires Windows 98
or better, so I installed Linux..."

Current thread:

What NICs are people using? Gordon Cunningham (May 02)
- Re: What NICs are people using? Terence Runge (May 02)
  - RE: What NICs are people using? Gordon Cunningham (May 02)
    - Re: What NICs are people using? Terence Runge (May 02)
- Re: What NICs are people using? Bennett Todd (May 05)
  - RE: What NICs are people using? Gordon Cunningham (May 05)
- <Possible follow-ups>
- RE: What NICs are people using? JP Vossen (May 03)
  - Re: What NICs are people using? David Alonso De La Vega Tapage (May 06)