Home page logo
/

snort logo Snort mailing list archives

Re: Snort not seeing IP-traffic, just Ether/Other
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 18 Apr 2013 12:52:17 -0600

On 2013-04-18 12:01, Kim.Halavakoski () Crosskey fi wrote:
Hello,
I have setup a snort-sensor on a RedHat Linux box with traffic from a
switch span-port feeding eth1 on the box. The traffic contains
vlan-tagged traffic, if that makes any difference.

The problem is that I am just getting some weird multicast / SSAP and
DSAP encapsulated Ethernet frames on that interface on the Linux box,
but when a colleague plugged in his laptop with Windows 7 on the same
port it saw all the traffic that I would like to see, meaning 
IP-traffic
from the monitored networks.

So Windows 7 sees the traffic, but the Linux box running snort just 
sees
weird multicast / SSAP / DSAP traffic. tcpdump does not show any IP
traffic either. I know this is probably not a snort-question per se, 
but
being snort-users list I think some of you guys might have som good
insights to this behaviour, probably easy to fix but I just can't get 
it
right now :( Any ideas on what I am doing wrong here?


Best regards,

Kim Halavakoski

Doesn't seem like your span-port is working..you should at least see 
broadcast though...that's weird.

Try setting your nic offloading (as root and with ethtool installed):

ethtool -K eth1 rx off
ethtool -K eth1 tx off
ethtool -K eth1 sg off
ethtool -K eth1 tso off
ethtool -K eth1 gso off
ethtool -K eth1 gro off

Also, any VLAN action going on?

James

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]