Re: Snort not seeing IP-traffic, just Ether/Other

["Kim.Halavakoski () Crosskey fi" <Kim.Halavakoski () Crosskey fi>]

Hello all,
the position of the NIC is not the issue, the box has 2 interfaces and
the other is used for management traffic. I would notice if I'd mixed up
those two.  The box is not virtualized, running on plain hardware.

I tried setting the stuff with ethtool, here are the settings currently
set / shown by ethtool:

[root@xxxanal01 ]# ethtool -k eth1
Features for eth1:
rx-checksumming: off
tx-checksumming: off
scatter-gather: off
tcp-segmentation-offload: off
udp-fragmentation-offload: off
generic-segmentation-offload: off
generic-receive-offload: off
large-receive-offload: off
rx-vlan-offload: on
tx-vlan-offload: on
ntuple-filters: off
receive-hashing: off

Also, any VLAN action going on? Yes, thre should be and are VLANs on the
span port(Windows 7 sees them...) but for some reason the VLAN traffic
is not seen by this box with the current configuration and OS..

Finally, I am getting traffic on the interface it seems, rx_octets,
rx_ucast_packets, rx_mcast_packets and rx_bcast_traffics stats are
increasing:


[root@cbslprdanal01 khalavak]# ethtool -S eth1
NIC statistics:
     rx_octets: 1127183878
     rx_fragments: 0
     rx_ucast_packets: 5659825
     rx_mcast_packets: 222
     rx_bcast_packets: 544
     rx_fcs_errors: 0
     rx_align_errors: 0
     rx_xon_pause_rcvd: 0
     rx_xoff_pause_rcvd: 0
     rx_mac_ctrl_rcvd: 0
     rx_xoff_entered: 0
     rx_frame_too_long_errors: 0
     rx_jabbers: 0
     rx_undersize_packets: 0
     rx_in_length_errors: 0
     rx_out_length_errors: 0
     rx_64_or_less_octet_packets: 0
     rx_65_to_127_octet_packets: 0
     rx_128_to_255_octet_packets: 0
     rx_256_to_511_octet_packets: 0
     rx_512_to_1023_octet_packets: 0
     rx_1024_to_1522_octet_packets: 0
     rx_1523_to_2047_octet_packets: 0
     rx_2048_to_4095_octet_packets: 0
     rx_4096_to_8191_octet_packets: 0
     rx_8192_to_9022_octet_packets: 0
     tx_octets: 0
     tx_collisions: 0
     tx_xon_sent: 0
     tx_xoff_sent: 0
     tx_flow_control: 0
     tx_mac_errors: 0
     tx_single_collisions: 0
     tx_mult_collisions: 0
     tx_deferred: 0
     tx_excessive_collisions: 0
     tx_late_collisions: 0
     tx_collide_2times: 0
     tx_collide_3times: 0
     tx_collide_4times: 0
     tx_collide_5times: 0
     tx_collide_6times: 0
     tx_collide_7times: 0
     tx_collide_8times: 0
     tx_collide_9times: 0
     tx_collide_10times: 0
     tx_collide_11times: 0
     tx_collide_12times: 0
     tx_collide_13times: 0
     tx_collide_14times: 0
     tx_collide_15times: 0
     tx_ucast_packets: 0
     tx_mcast_packets: 0
     tx_bcast_packets: 0
     tx_carrier_sense_errors: 0
     tx_discards: 0
     tx_errors: 0
     dma_writeq_full: 0
     dma_write_prioq_full: 0
     rxbds_empty: 0
     rx_discards: 0
     rx_errors: 0
     rx_threshold_hit: 0
     dma_readq_full: 0
     dma_read_prioq_full: 0
     tx_comp_queue_full: 0
     ring_set_send_prod_index: 0
     ring_status_update: 0
     nic_irqs: 0
     nic_avoided_irqs: 0
     nic_tx_threshold_hit: 0
     mbuf_lwm_thresh_hit: 0


[root@cbslprdanal01 khalavak]# ethtool -S eth1
NIC statistics:
     rx_octets: 1135510993
     rx_fragments: 0
     rx_ucast_packets: 5710822
     rx_mcast_packets: 224
     rx_bcast_packets: 549
<CUT THE REST>

Still at loss wit this...counters are increasing, traffic seems to be
there but IP-traffic is not seen by snort or tcpdump.



Best regards,

Kim Halavakoski
Chief Security Officer

Tel N°+358 [0] 204 291 187
Mob N°+358 [0] 40 702 7844
PGP S°: 0BFA A910 9AA7 94A5 A323  53F5 4151 4CE4 33BE 35FA
kim.halavakoski () crosskey fi

Crosskey
Elverksgatan 10
AX-22 100 Mariehamn, Åland
Tel N°+358 [0] 204 29 022
www.crosskey.fi

On 04/18/2013 09:52 PM, James Lay wrote:
> On 2013-04-18 12:01, Kim.Halavakoski () Crosskey fi wrote:
> > Hello,
> > I have setup a snort-sensor on a RedHat Linux box with traffic from a
> > switch span-port feeding eth1 on the box. The traffic contains
> > vlan-tagged traffic, if that makes any difference.
> >
> > The problem is that I am just getting some weird multicast / SSAP and
> > DSAP encapsulated Ethernet frames on that interface on the Linux box,
> > but when a colleague plugged in his laptop with Windows 7 on the same
> > port it saw all the traffic that I would like to see, meaning 
> > IP-traffic
> > from the monitored networks.
> >
> > So Windows 7 sees the traffic, but the Linux box running snort just 
> > sees
> > weird multicast / SSAP / DSAP traffic. tcpdump does not show any IP
> > traffic either. I know this is probably not a snort-question per se, 
> > but
> > being snort-users list I think some of you guys might have som good
> > insights to this behaviour, probably easy to fix but I just can't get 
> > it
> > right now :( Any ideas on what I am doing wrong here?
>
> > Best regards,
> >
> > Kim Halavakoski
> Doesn't seem like your span-port is working..you should at least see 
> broadcast though...that's weird.
>
> Try setting your nic offloading (as root and with ethtool installed):
>
> ethtool -K eth1 rx off
> ethtool -K eth1 tx off
> ethtool -K eth1 sg off
> ethtool -K eth1 tso off
> ethtool -K eth1 gso off
> ethtool -K eth1 gro off
>
> Also, any VLAN action going on?
>
> James
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!