Snort mailing list archives
Re: Stealth interface not seeing any IP traffic
From: Rich Adamson <radamson () routers com>
Date: Sun, 23 Jan 2005 10:07:56 -0600
I use a Netgear DS104 professionally on a regular basis to do this. Many of these (including the ds104) will act as a switch "if" the port speeds are different. E.g., if your internet router is running 10 meg and snort is running 100 meg, then it operates as a switch. If port speeds are the same, it operates as a hub. Might even check this on your Linksys just to be sure. (I don't use the Linksys stuff so not sure if this applies or not.) ------------------------
I was afraid that my hub may be acting more like a switch. Can anyone recommend a hub that they know works for this application. This is just for home, so I'm looking for something inexpensive. There's a bunch of Netgear EN104 hubs on ebay now. Has anyone used this hub to monitor their cable Internet? It's strictly 10Mbit, so I think there's a better chance. Thanks. ----- Original Message ----- From: "Ron Jenkins" <rjenkins () dibr net> To: <dhumes001 () comcast net>; "snort-users" <snort-users () lists sourceforge net> Sent: Saturday, January 22, 2005 9:43 PM Subject: RE: [Snort-users] Stealth interface not seeing any IP traffic If that is a Linksys Everywhere Hub, it is not really a hub. You will have to find an old hub. Thanks... -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of David G. Humes Sent: Saturday, January 22, 2005 8:02 PM To: snort-users Subject: [Snort-users] Stealth interface not seeing any IP traffic I just setup a system for running snort at home and I'm having a problem with the monitoring interface not seeing any IP traffic. If I do a tcpdump on the monitoring interface all I see is the usual boatload of arp requests and an occasional igmp message. It's a Redhat 9 system with libpcap-0.8.3. The monitoring interface is plugged into a port on a hub that sits between my cable modem my router/switch. FWIW the hub is a Linksys NH1005-WM. Here's the configuration of eth1. eth1 Link encap:Ethernet HWaddr 00:01:02:C9:D6:53 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:44499 errors:0 dropped:0 overruns:0 frame:0 TX packets:2 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:2673544 (2.5 Mb) TX bytes:120 (120.0 b) Interrupt:10 Base address:0x1480 Here's my /etc/sysconfig/network-scripts/ifcfg-eth1 file. TYPE=Ethernet DEVICE=eth1 BOOTPROTO=static ONBOOT=yes IPADDR=0.0.0.0 I've also tried setting eth1 noarp and promisc, but that does not make any difference. And I tried giving the interface an address and that didn't help either. I know the interface works, as I have used it as the management interface to the sensor. Any thoughts? ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
---------------End of Original Message----------------- ------------------------------------------------------- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag-&-drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Stealth interface not seeing any IP traffic David G. Humes (Jan 22)
- <Possible follow-ups>
- RE: Stealth interface not seeing any IP traffic Ron Jenkins (Jan 22)
- Re: Stealth interface not seeing any IP traffic Dave Humes (Jan 23)
- Re: Stealth interface not seeing any IP traffic Rich Adamson (Jan 23)
- Re: Stealth interface not seeing any IP traffic Dave Humes (Jan 23)