Snort mailing list archives
Re: Is there some problem w/ 3Com cards?
From: Rich Adamson <radamson () routers com>
Date: Thu, 12 Jul 2001 09:17:25 -0600
A friend tells me 3Com cards have some problems - like dropping all malformed packets. I have bought a 3Com 3C900 XL because it is a PCI card and it has an AUI port. Anyone ever have any problems with this or cards like 3C509 and snort?
Your friend is mostly correct. The majority of current NIC cards have low-level logic built into the integrated circuits to "inspect" incoming packets, and if that packet is corrupted, it will be dropped. In most NIC cards, those dropped packets are not counted by any sort of management logic, and promiscous mode has absolutely nothing to do with whether you can "see" those damaged ethernet packets or not. What your question/friend doesn't mention is "what is a malformed packet". The NIC card logic only knows what a layer-2 ethernet packet is supposed to look like (eg, jk bits, header, data, trailer). If an arriving packet is damaged (generally the result of an ethernet collision) and can't be decoded at layer-2, it is dropped. From a snort perspective, you don't care. These types of malformed/corrupted packets cannot be generated by hackers (NIC cards don't have the internal logic to allow that). There are a few NIC cards on the market that do include some logic that allow "counting" of those packets, and options to pass the damaged packet up to the NIC card driver code. If you go to www.sniffer.com and find NAI's list of supported NIC cards, you will see a small list that has those functions. You really don't care though because it only becomes important if you are trying to analyze the source of damaged / irregular packets with sniffers. Snort does not have any support whatsoever to do that. Rich _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is there some problem w/ 3Com cards? Kiira Triea (Jul 12)
- Re: Is there some problem w/ 3Com cards? Rich Adamson (Jul 12)
- Re: Is there some problem w/ 3Com cards? Kiira Triea (Jul 13)
- Re: Is there some problem w/ 3Com cards? Jason A. Haynes (Jul 15)
- Re: Is there some problem w/ 3Com cards? Kiira Triea (Jul 13)
- Re: Is there some problem w/ 3Com cards? Rich Adamson (Jul 12)