Snort mailing list archives
Re: Is there some problem w/ 3Com cards?
From: "Jason A. Haynes" <jahaynes () erols com>
Date: Sun, 15 Jul 2001 15:55:27 -0400 (EDT)
On Fri, 13 Jul 2001, Kiira Triea wrote:
A friend tells me 3Com cards have some problems - like dropping all malformed packets. I have bought a 3Com 3C900 XL because it is a PCI card and it has an AUI port. Anyone ever have any problems with this or cards like 3C509 and snort?Your friend is mostly correct. The majority of current NIC cards have low-level logic built into the integrated circuits to "inspect" incoming packets, and if that packet is corrupted, it will be dropped. In most NIC cards, those dropped packets are not counted by any sort of management logic, and promiscous mode has absolutely nothing to do with whether you can "see" those damaged ethernet packets or not.Ok, that was the main point or question I am not so sure of - whether any of this affected promiscuous mode ability of the card. Thanks for the help!
NICs will not have the level of comprehension snort does. Snort will be useful on any NIC, not just for content searches and port scans but wacky TCP/IP flags and out of stream data. The NIC's looking at the ethernet header for errors, and probably doesn't error check the IP header much at all, if any. NICs are mostly a layer 1 device (OSI 7 layer networking model). Also, NICs shouldn't be keeping state info on whether or not to expect an RST or SYN ACK packet on a particular port; that's the job of the TCP/IP stacks (in your OS/kernel). And.. I have yet to see a card which doesn't at least pretend to log errors & dropped packets. Maybe it doesn't log *all* of them, but check ifconfig and netstat (unix) for which flags to use to check on your stats. Note the stats are usually cumulative since the last boot. In Solaris the undocumented 'ifconfig -k' does the most verbose; on my Linux it shows dropped & error statistics by default. netstat(1) is also fun; check it out. This shouldn't have anything to do with promiscuous mode, either. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is there some problem w/ 3Com cards? Kiira Triea (Jul 12)
- Re: Is there some problem w/ 3Com cards? Rich Adamson (Jul 12)
- Re: Is there some problem w/ 3Com cards? Kiira Triea (Jul 13)
- Re: Is there some problem w/ 3Com cards? Jason A. Haynes (Jul 15)
- Re: Is there some problem w/ 3Com cards? Kiira Triea (Jul 13)
- Re: Is there some problem w/ 3Com cards? Rich Adamson (Jul 12)