Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IFACE -i any problem

From: Edin Dizdarevic <edin.dizdarevic () interActive-Systems de>
Date: Thu, 05 Jun 2003 00:23:47 +0200

Well it's working perfectly here. Don't know what you're doing wrong.
It might be your kernel config. See if you have

<*> Packet socket

[*]   Packet socket: mmapped IO
...
[*] Socket Filtering


active, but afaik the error log is different then, complaining that
Snort is using the old socket (kernel version < 2.2, I think) for
sniffing. You may have to load the module "af_packet" if you won't
rebuild your kernel.

Anyway, "-i any" is not realy wise, 'cause Snort will see your
loopback traffic too. At least use it with "snort ... not host
127.0.0.1", to filter the lo traffic.

Regards,

Edin


Marcus Robb wrote:

Hi, 

I'm sure this is an old issue, but I can't find a resolution. 
I've found posts that say libpcap has been able to 
listen on multiple interfaces for several versions now.

I have a redhat 7.3 system with 5 nics, 4 of the nics cover multiple paths, 1 is a management interface.
I only expect to capture packets on 2 of the promiscuous nics at any time.
The IFACE=any option would be perfect for me.
Snort 2.0 and the latest libpcap are both compiled from the latest stable sources.
 
When I try to start snort with the -i any switch I have errors in /var/log/messages
that say "modprobe can't find module any."
Snort starts but then no longer sees traffic on any of the interfaces.
If I start Snort on a single interface, say eth1, it works just fine.

Can anyone point me in the right direction please. My searches keep turning up nada
for a solution.

Thanks



-- 
Edin Dizdarevic



-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: