Stealth interface not seeing any IP traffic

["David G. Humes" <dhumes001 () comcast net>]

I just setup a system for running snort at home and I'm having a problem
with the monitoring interface not seeing any IP traffic.  If I do a
tcpdump on the monitoring interface all I see is the usual boatload of
arp requests and an occasional igmp message.  It's a Redhat 9 system
with libpcap-0.8.3.  The monitoring interface is plugged into a port on
a hub that sits between my cable modem my router/switch.  FWIW the hub
is a Linksys NH1005-WM.  Here's the configuration of eth1.

eth1      Link encap:Ethernet  HWaddr 00:01:02:C9:D6:53
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:44499 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:2673544 (2.5 Mb)  TX bytes:120 (120.0 b)
          Interrupt:10 Base address:0x1480

Here's my /etc/sysconfig/network-scripts/ifcfg-eth1 file.

TYPE=Ethernet
DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
IPADDR=0.0.0.0

 
I've also tried setting eth1 noarp and promisc, but that does not make
any difference.  And I tried giving the interface an address and that
didn't help either.  I know the interface works, as I have used it as
the management interface to the sensor.  

Any thoughts?



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users