Snort mailing list archives

Re: Snort not seeing IP-traffic, just Ether/Other

From: Glenn Geller <ggeller () gmail com>
Date: Thu, 18 Apr 2013 11:36:58 -0700

Hello Kim,

One thing you may want to check is the position of your secondary NIC.

Specifically, some Linux builds actually see the secondary NIC as eth0, and
this may be only connected to the non-span port.

I have had this issue recently, and took a few days to figure it out.

May not be related to your specific issue, but wanted to put in my 2 cents.

Good luck,

Glenn


On Thu, Apr 18, 2013 at 11:01 AM, Kim.Halavakoski () Crosskey fi <
Kim.Halavakoski () crosskey fi> wrote:

Hello,
I have setup a snort-sensor on a RedHat Linux box with traffic from a
switch span-port feeding eth1 on the box. The traffic contains
vlan-tagged traffic, if that makes any difference.

The problem is that I am just getting some weird multicast / SSAP and
DSAP encapsulated Ethernet frames on that interface on the Linux box,
but when a colleague plugged in his laptop with Windows 7 on the same
port it saw all the traffic that I would like to see, meaning IP-traffic
from the monitored networks.

So Windows 7 sees the traffic, but the Linux box running snort just sees
weird multicast / SSAP / DSAP traffic. tcpdump does not show any IP
traffic either. I know this is probably not a snort-question per se, but
being snort-users list I think some of you guys might have som good
insights to this behaviour, probably easy to fix but I just can't get it
right now :( Any ideas on what I am doing wrong here?


The interface is set in promiscuous mode:

[root@xxxanal01 khalavak]# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:14:5E:2A:34:85
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:3668068 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:628710729 (599.5 MiB)  TX bytes:0 (0.0 b)
          Interrupt:16

Snort sees only Ether and Other traffic:

[root@xxxanal01 khalavak]# snort -i eth1
Running in packet dump mode

        --== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eth1".
Decoding Ethernet

        --== Initialization Complete ==--

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.4.1 GRE (Build 69)
   ''''    By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.0.0
           Using PCRE version: 7.8 2008-09-05
           Using ZLIB version: 1.2.3

Commencing packet processing (pid=3644)
^C*** Caught Int-Signal

===============================================================================
Run time for packet processing was 7.103551 seconds
Snort processed 1354 packets.
Snort ran for 0 days 0 hours 0 minutes 7 seconds
   Pkts/sec:          193

===============================================================================
Packet I/O Totals:
   Received:         1354
   Analyzed:         1354 (100.000%)
    Dropped:            0 (  0.000%)
   Filtered:            0 (  0.000%)
Outstanding:            0 (  0.000%)
   Injected:            0

===============================================================================
Breakdown by protocol (includes rebuilt packets):
        Eth:         1354 (100.000%)
       VLAN:            0 (  0.000%)
        IP4:            0 (  0.000%)
       Frag:            0 (  0.000%)
       ICMP:            0 (  0.000%)
        UDP:            0 (  0.000%)
        TCP:            0 (  0.000%)
        IP6:            0 (  0.000%)
    IP6 Ext:            0 (  0.000%)
   IP6 Opts:            0 (  0.000%)
      Frag6:            0 (  0.000%)
      ICMP6:            0 (  0.000%)
       UDP6:            0 (  0.000%)
       TCP6:            0 (  0.000%)
     Teredo:            0 (  0.000%)
    ICMP-IP:            0 (  0.000%)
    IP4/IP4:            0 (  0.000%)
    IP4/IP6:            0 (  0.000%)
    IP6/IP4:            0 (  0.000%)
    IP6/IP6:            0 (  0.000%)
        GRE:            0 (  0.000%)
    GRE Eth:            0 (  0.000%)
   GRE VLAN:            0 (  0.000%)
    GRE IP4:            0 (  0.000%)
    GRE IP6:            0 (  0.000%)
GRE IP6 Ext:            0 (  0.000%)
   GRE PPTP:            0 (  0.000%)
    GRE ARP:            0 (  0.000%)
    GRE IPX:            0 (  0.000%)
   GRE Loop:            0 (  0.000%)
       MPLS:            0 (  0.000%)
        ARP:            0 (  0.000%)
        IPX:            0 (  0.000%)
   Eth Loop:            0 (  0.000%)
   Eth Disc:            0 (  0.000%)
   IP4 Disc:            0 (  0.000%)
   IP6 Disc:            0 (  0.000%)
   TCP Disc:            0 (  0.000%)
   UDP Disc:            0 (  0.000%)
  ICMP Disc:            0 (  0.000%)
All Discard:            0 (  0.000%)
      Other:         1354 (100.000%)
Bad Chk Sum:            0 (  0.000%)
    Bad TTL:            0 (  0.000%)
     S5 G 1:            0 (  0.000%)
     S5 G 2:            0 (  0.000%)
      Total:         1354

===============================================================================
Snort exiting

[root@xxxanal01 khalavak]

Same with tcpdump, not seeing any IP-traffic just weird "Unknown SSAP"
and "Null information" packets:

[root@xxxanal01 khalavak]# tcpdump -nn  -i eth1
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
20:55:14.105981 00:10:db:fc:45:00 Unknown SSAP 0x26 > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
length 60
20:55:14.106120 00:50:56:95:45:00 > 00:10:db:fc:40:05 Null Information,
send seq 32, rcv seq 0, Flags [Command], length 60
20:55:14.106840 00:10:db:fc:45:00 Unknown SSAP 0x26 > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
length 52
20:55:14.107173 00:10:db:fc:45:00 Unknown SSAP 0x28 > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
length 191
20:55:14.107275 00:50:56:95:45:00 Unknown SSAP 0x3e > 00:10:db:fc:40:05
Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Response],
length 52
20:55:14.108298 00:50:56:95:45:00 Unknown SSAP 0x40 > 00:10:db:fc:40:05
Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Command],
length 138
20:55:14.108354 00:50:56:95:45:00 Unknown SSAP 0x40 > 00:10:db:fc:40:05
Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Response],
length 58
20:55:14.108423 00:50:56:95:45:00 STP > 00:10:db:fc:40:05 Unknown DSAP
0x78 Information, send seq 32, rcv seq 0, Flags [Command], length 89
20:55:14.109385 00:10:db:fc:45:00 Unknown SSAP 0x28 > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
length 52
20:55:14.109395 00:10:db:fc:45:00 Unknown SSAP 0x2a > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
length 52
20:55:14.109400 00:10:db:fc:45:00 Unknown SSAP 0x2a > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
length 52
20:55:14.109488 00:10:db:fc:45:00 Unknown SSAP 0x2c > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
length 95
20:55:14.109494 00:10:db:fc:45:00 Unknown SSAP 0x2c > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
length 80
20:55:14.109567 00:50:56:95:45:00 STP > 00:10:db:fc:40:05 Unknown DSAP
0x78 Information, send seq 32, rcv seq 0, Flags [Response], length 52
20:55:14.110465 00:50:56:95:45:00 Unknown SSAP 0x44 > 00:10:db:fc:40:05
Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Command],
length 1206
20:55:14.110546 00:50:56:95:45:00 Unknown SSAP 0x44 > 00:10:db:fc:40:05
Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Response],
length 52
20:55:14.111141 00:10:db:fc:45:00 Unknown SSAP 0x2e > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
length 52
20:55:14.111327 00:10:db:fc:45:00 Unknown SSAP 0x2e > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
length 75
20:55:14.111338 00:10:db:fc:45:00 Unknown SSAP 0x30 > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
length 52
20:55:14.111542 00:50:56:95:45:00 > 00:10:db:fc:40:05 Null Information,
send seq 32, rcv seq 0, Flags [Command], length 46
20:55:14.111581 00:50:56:95:45:00 > 00:10:db:fc:40:05 Null Information,
send seq 32, rcv seq 0, Flags [Command], length 46
20:55:14.119656 00:50:56:95:45:00 Unknown SSAP 0x44 > 00:50:56:95:20:64
Unknown DSAP 0xb6 Information, send seq 32, rcv seq 0, Flags [Command],
length 240
^C
22 packets captured
22 packets received by filter
0 packets dropped by kernel
[root@xxxanal01 khalavak]#

Best regards,

Kim Halavakoski

PGP S°: 0BFA A910 9AA7 94A5 A323  53F5 4151 4CE4 33BE 35FA
kim.halavakoski () crosskey fi

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Snort Start up error, (continued)
- Re: Snort Start up error waldo kitty (Apr 18)
  - Message not available
    - Re: Snort Start up error waldo kitty (Apr 18)
    - Re: Snort Start up error beenph (Apr 18)
    - Re: Snort Start up error Joel Esler (Apr 18)
  - Message not available
    - Message not available
    - Message not available
    - Re: Snort Start up error waldo kitty (Apr 18)
    - Re: Snort Start up error Said Nurhussein (Apr 18)
    - Re: Snort Start up error waldo kitty (Apr 18)
    - Re: Snort Start up error Said Nurhussein (Apr 18)
    - Re: Snort Start up error waldo kitty (Apr 19)
- Snort not seeing IP-traffic, just Ether/Other Kim.Halavakoski () Crosskey fi (Apr 18)
  - Re: Snort not seeing IP-traffic, just Ether/Other Glenn Geller (Apr 18)
  - Re: Snort not seeing IP-traffic, just Ether/Other James Lay (Apr 18)
    - Re: Snort not seeing IP-traffic, just Ether/Other Kim.Halavakoski () Crosskey fi (Apr 18)
    - Re: Snort not seeing IP-traffic, just Ether/Other Eoin Miller (Apr 18)
    - Re: Snort not seeing IP-traffic, just Ether/Other Tony Robinson (Apr 18)
    - Re: Snort not seeing IP-traffic, just Ether/Other Kim.Halavakoski () Crosskey fi (Apr 18)
  - Re: Snort not seeing IP-traffic, just Ether/Other Michal Purzynski (Apr 18)
- Re: Snort Start up error amani (Apr 19)
  - Message not available
    - Re: Snort Start up error Said Nurhussein (Apr 19)
- Snort Start up error Said Nurhussein (Apr 19)