Home page logo
/

snort logo Snort mailing list archives

Re: Centos 6.4, bnx2 in promiscuous mode does not see packets
From: Y M <snort () outlook com>
Date: Tue, 2 Jul 2013 08:16:20 +0000

Couple of questions that may help troubleshoot the issue:
 
1. What kind of traffic you are forwarding? i.e.: VLAN tagged traffic?
     If yes, then you may need to enable VLAN support in Linux if not enabled already: modprobe 8021q
2. If you run Snort with -k none (for testing purposes), do you get all traffic?
3. If you disable NIC offloading functions such as tso, gro, etc., Does it make a difference?
 
This is what I can think of for now. May be someone in the list can help more. Thanks.
 
YM
 
Date: Tue, 2 Jul 2013 08:52:57 +0100
From: giles () coochey net
To: snort-users () lists sourceforge net
Subject: [Snort-users] Centos 6.4,      bnx2 in promiscuous mode does not see packets


  

    
  
  
    Hi,
      

      

      I hope someone can help me, I cannot seem to get a system's
      ethernet interface to correctly work in promiscuous mode...
      

      

      I have a Centos 6.4 system with 2 bnx2 interfaces on it.
      

      

      I have set up eth1 in promiscuous mode and am sending traffic to
      it using the port mirroring configuration on a Nortel 3510-24T
      switch.
      

      The switch reports that it is sending a fair amount of traffic to
      the mirror port.
      

      

      However, within Centos 6.4, I only see broadcast traffic from the
      switch:
      

      

      [root () host eth1]# ifconfig eth1
      

      eth1      Link encap:Ethernet  HWaddr 00:19:B9:E2:30:AE
      

                UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500 
      Metric:1
      

                RX packets:75 errors:0 dropped:0 overruns:0 frame:0
      

                TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      

                collisions:0 txqueuelen:1000
      

                RX bytes:4800 (4.6 KiB)  TX bytes:0 (0.0 b)
      

      

      I have tried various options configuring eth1 via
      /etc/sysconfig/networking/devices/ifcfg-eth1
      

      

      Currently it looks like this:
      

      

      DEVICE=eth1
      

      BOOTPROTO=static
      

      HWADDR=00:19:B9:E2:30:AE
      

      #NM_CONTROLLED=no
      

      ONBOOT=yes
      

      TYPE=Ethernet
      

      #UUID="e753ec9b-fc35-4460-bcd1-87f26f8d1553"
      

      IPV6INIT=no
      

      USERCTL=no
      

      PROMISC=yes
      

      

      I have also tried to manually put the interface in promiscuous
      mode (as I think PROMISC=yes is deprecated):
      

      

      ifconfig eth1 promisc
      

      

      It shows as being in promiscuous mode via ifconfig...
      

      

      The relevant parks of bootup / system messages:
      

      

      bnx2: Broadcom NetXtreme II Gigabit Ethernet Driver bnx2 v2.2.3
      (June 27, 2012)
      

      bnx2 0000:05:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ
      16
      

      bnx2 0000:05:00.0: firmware: requesting bnx2/bnx2-mips-06-6.2.3.fw
      

      bnx2 0000:05:00.0: firmware: requesting
      bnx2/bnx2-rv2p-06-6.0.15.fw
      

      bnx2 0000:05:00.0: eth0: Broadcom NetXtreme II BCM5708 1000Base-T
      (B2) PCI-X 64-bit 133MHz found at mem f8000000, IRQ 16, node addr
      00:19:b9:e2:30:ac
      

      bnx2 0000:09:00.0: PCI INT A -> GSI 16 (level, low) -> IRQ
      16
      

      bnx2 0000:09:00.0: firmware: requesting bnx2/bnx2-mips-06-6.2.3.fw
      

      bnx2 0000:09:00.0: firmware: requesting
      bnx2/bnx2-rv2p-06-6.0.15.fw
      

      bnx2 0000:09:00.0: eth1: Broadcom NetXtreme II BCM5708 1000Base-T
      (B2) PCI-X 64-bit 133MHz found at mem f4000000, IRQ 16, node addr
      00:19:b9:e2:30:ae
      

      bnx2 0000:05:00.0: irq 95 for MSI/MSI-X
      

      bnx2 0000:05:00.0: eth0: using MSI
      

      bnx2 0000:05:00.0: eth0: NIC Copper Link is Up, 1000 Mbps full
      duplex
      

      bnx2 0000:09:00.0: irq 96 for MSI/MSI-X
      

      bnx2 0000:09:00.0: eth1: using MSI
      

      bnx2 0000:09:00.0: eth1: NIC Copper Link is Up, 1000 Mbps full
      duplex, receive & transmit flow control ON
      

      bnx2 0000:05:00.0: irq 95 for MSI/MSI-X
      

      bnx2 0000:05:00.0: eth0: using MSI
      

      bnx2 0000:05:00.0: eth0: NIC Copper Link is Up, 1000 Mbps full
      duplex
      

      bnx2 0000:09:00.0: irq 96 for MSI/MSI-X
      

      bnx2 0000:09:00.0: eth1: using MSI
      

      bnx2 0000:09:00.0: eth1: NIC Copper Link is Up, 1000 Mbps full
      duplex, receive & transmit flow control ON
      

      

      Does anyone have any ideas?
      

      

      Thanks
      

      

      Giles
      

    
  


------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        
  
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]