Snort mailing list archives

RE: Token ring support of snort

From: "Karl Lovink" <karl () lovink net>
Date: Thu, 1 Nov 2001 21:04:25 +0100

Bulent and Marty,

We are using several snort sensors on tokenring without any problems.
The only difference is the Operating System. We are using Linux and not
Win32. Maybe it's a libpcap problem?

Greetz,
Karl


-----Oorspronkelijk bericht-----
Van: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] Namens Martin Roesch
Verzonden: donderdag 1 november 2001 17:02
Aan: bulent_sahin () tb net tr
CC: snort-users () lists sourceforge net
Onderwerp: Re: [Snort-users] Token ring support of snort

That's very possible, the Token Ring users of Snort are a pretty small
set of people, and I think you're the first person that's tried it on
Windows.  If you could capture some packets with Ethereal and mail them
to me (the binary packet captures), I'll see if I can update the
decoder.

     -Marty

bulent_sahin () tb net tr wrote:


Yes, the interface name is correct. I tried, but same thing happened.
Program captures some frames, but categorizes them as OTHER. I suppose
that snort does not undestand  token-ring, llc2 and snap headers?
Thanks
Bulent

 Martin Roesch
 <roesch () sourcefire com>               To:
 Sent by:                       bulent_sahin () tb net tr
 roesch () mail sourcefire com            cc:
                                snort-users () lists sourceforge net
 01.11.2001 17:04                      Subject:        Re:
                               [Snort-users] Token ring support of
                               snort

Is that the right interface name for the T/R interface?  To get a list
of the interfaces that are available run 'snort -W', then set the
sniffing interface with 'snort -i <intf>'

    -Marty

bulent_sahin () tb net tr wrote:


Hi,

Does anybody know about token ring support of snort?A few days ago I
installed snort on my computer, but when I try "snort -v" it assumes
that all packets are ethernet packets.  Winpcap and ethereal works
fine. I  pasted "snort -v" output below.

C:\Downloads\Snort-1.8.1-win32-static\Snort-1.8.1-win32\snort -v
Log directory =

        --== Initializing Snort ==--

Initializing Network Interface \
Decoding Ethernet on interface \Device\Packet_MDGNDIS41

        --== Initialization Complete ==--

-*> Snort! <*-
Version 1.8-WIN32 (Build 74)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
1.7-WIN32 Port By Michael Davis (mike () datanerds net, ww
1.8-WIN32 Port By Chris Reid (chris.reid@codecraftconsu
          (based on code from 1.7 port)

=======================================================
Snort analyzed 1312 out of 1312 packets, dropping 0(0.0

Breakdown by protocol:                Action Stats:
    TCP: 0          (0.000%)          ALERTS: 0
    UDP: 0          (0.000%)          LOGGED: 0
   ICMP: 0          (0.000%)          PASSED: 0
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 1311       (99.924%)
DISCARD: 0          (0.000%)
=======================================================
Fragmentation Stats:
Fragmented IP Packets: 0          (0.000%)
    Fragment Trackers: 0
   Rebuilt IP Packets: 0
   Frag elements used: 0
Discarded(incomplete): 0
   Discarded(timeout): 0
  Frag2 memory faults: 0
=======================================================
TCP Stream Reassembly Stats:
        TCP Packets Used: 0          (0.000%)
         Stream Trackers: 0
          Stream flushes: 0
           Segments used: 0
   Stream4 Memory Faults: 0
=======================================================
pcap_loop: read error: PacketReceivePacket failedpcap_s
r
Snort received signal 3, exiting

Thanks,
Bulent


--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Token ring support of snort bulent_sahin (Nov 01)
- Re: Token ring support of snort Martin Roesch (Nov 01)
- <Possible follow-ups>
- Re: Token ring support of snort bulent_sahin (Nov 01)
  - Re: Token ring support of snort Martin Roesch (Nov 01)
    - RE: Token ring support of snort Karl Lovink (Nov 01)
    - Re: Token ring support of snort Fyodor (Nov 02)