Snort mailing list archives
Re: AW: 3 or 4 NICs in a sensor?
From: Ben Feinstein <me () benfeinstein net>
Date: Sun, 29 Sep 2002 12:54:39 -0700 (PDT)
Hey Sandro, I only saw problems while putting the card under heavy load for extended periods of time. I was using Linux 2.4.18 compiled with FreeS/WAN and whatever version of the tulip and realtek NIC drivers were included w/ the kernel. One interface on the 4-port NIC was running Snort promisc, one iface was collecting a bunch of syslogs, and another was doing Nessus scanning. One of the interfaces on the 4-port NIC was left unused. I was also using an on-board NIC w/ the realtek driver. The on-board NIC was running an IPSec net-to-net tunnel, with a good bit of traffic. The host had a fairly complex iptables policy installed, with policy defined globally and for each interface being used. A number of attack hosts were running Stick and Snot attacks on the Snort monitored network. After leaving the system up like this for some time, usually < 24 hours, the promisc interface on the 4-port NIC would stop seeing any packets. I verified that this wasn't a problem with Snort by running tcpdump on the same interface, and saw nothing. After dropping the interface out of promisc mode, still no packets were being seen on the iface. Restarting the network service (using the init.d script) would cause packets to resume arriving on the interface. I could not consistently reproduce the problem, but the interface usually hung after an extended duration of testing. I moved to the Intel PRO/100 S Dual card using a motherboard w/ dual on-board Intel NICs. I'm running the e100 driver on all 4 interfaces. Haven't seen this problem since... So, in summary, this may not neccessaruly have been a problem with the D-Link card itself. Perhaps there were (are?) bugs w/ running multiple tulip drivers under heavy load and mixing in a promisc iface? At the time I wasn't able to investigate the issue any further. I changed hardware and the problem went away, which was all I really wanted. Cheers, Ben On Sat, 28 Sep 2002, Poppi, Sandro wrote:
Ben, could you be a little more specific about the probs you've had with DLink DFE 570TX? I'm using it in 2 boxes and don't see any probs yet. Thanks, Sandro
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: 3 or 4 NICs in a sensor? Poppi, Sandro (Sep 26)
- <Possible follow-ups>
- AW: 3 or 4 NICs in a sensor? Poppi, Sandro (Sep 27)
- AW: 3 or 4 NICs in a sensor? Poppi, Sandro (Sep 28)
- Re: AW: 3 or 4 NICs in a sensor? Ben Feinstein (Sep 29)
- AW: 3 or 4 NICs in a sensor? Poppi, Sandro (Sep 28)