Snort mailing list archives
Re: Newbie Q on making it work
From: Faber Fedor <faber () linuxnj com>
Date: Wed, 27 Nov 2002 10:04:38 -0500
On Wed, Nov 27, 2002 at 06:45:24AM -0700, Slighter, Tim wrote:
Better yet, disable the IP'd interface on your snort system and then run TCPDUMP on the stealth interface and see if it is picking up any type of traffic.
Good idea! So I did that, now I'm totally confused. I'm not seeing any web traffic. I am seeing DNS traffic (which goes out of my network onto the internet). So I changed my topology thusly: Internet -> cablemodem -> Linksys BEFSR41 ---> snort1 |--> surfer |--> Linksys EFAHO5W --> other computers Where the "surfer" is a Windows XP machine running a 100 Mbit card. and does the web surfing. I *still* don't see any data. How can that be? The traffic *has to* go through the BEFSR41 box, which means every device connected to it will see the traffic. Right? Alright, let's do this... cablemodem -> BEFSR41 --> surfer |-> EFAHO5W --> snort1 |-> surfer2 Okay, *now* I see data from surfer2. At least I have something to work with. Since EFAH05W is actually a switch (which I did not know, thanks for pointing that out), I can understand why surfer wouldn't see data going from snort1 to surfer2. What I don't understand is how data can go from surfer2 to the internet withough it being passed to all of the devices attached to the BEFSR41. I guess it's time I broke down and studied for that CCNA test, eh? Sorry to have bothered you guys with a non-snort problem. The next time I post, I promise it'll be with a problem about snort. :-) -- Regards, Faber Linux New Jersey: Open Source Solutions for New Jersey http://www.linuxnj.com ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Newbie Q on making it work Faber Fedor (Nov 26)
- Re: Newbie Q on making it work Matt Kettler (Nov 26)
- Re: Newbie Q on making it work twig les (Nov 26)
- <Possible follow-ups>
- RE: Newbie Q on making it work Slighter, Tim (Nov 27)
- Re: Newbie Q on making it work Faber Fedor (Nov 27)
- RE: Newbie Q on making it work Tom Sevy (Nov 27)
- Re: Newbie Q on making it work Matt Kettler (Nov 26)