Snort mailing list archives
Re: Snort not seeing IP-traffic, just Ether/Other
From: Michal Purzynski <michal () rsbac org>
Date: Thu, 18 Apr 2013 20:45:19 +0200
Are you running SO in a VM of any kind? Is the ifconfig output on the sniffing interface growing as it should be? On 4/18/13 8:01 PM, Kim.Halavakoski () Crosskey fi wrote:
Hello, I have setup a snort-sensor on a RedHat Linux box with traffic from a switch span-port feeding eth1 on the box. The traffic contains vlan-tagged traffic, if that makes any difference. The problem is that I am just getting some weird multicast / SSAP and DSAP encapsulated Ethernet frames on that interface on the Linux box, but when a colleague plugged in his laptop with Windows 7 on the same port it saw all the traffic that I would like to see, meaning IP-traffic from the monitored networks. So Windows 7 sees the traffic, but the Linux box running snort just sees weird multicast / SSAP / DSAP traffic. tcpdump does not show any IP traffic either. I know this is probably not a snort-question per se, but being snort-users list I think some of you guys might have som good insights to this behaviour, probably easy to fix but I just can't get it right now :( Any ideas on what I am doing wrong here? The interface is set in promiscuous mode: [root@xxxanal01 khalavak]# ifconfig eth1 eth1 Link encap:Ethernet HWaddr 00:14:5E:2A:34:85 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:3668068 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:628710729 (599.5 MiB) TX bytes:0 (0.0 b) Interrupt:16 Snort sees only Ether and Other traffic: [root@xxxanal01 khalavak]# snort -i eth1 Running in packet dump mode --== Initializing Snort ==-- Initializing Output Plugins! pcap DAQ configured to passive. Acquiring network traffic from "eth1". Decoding Ethernet --== Initialization Complete ==-- ,,_ -*> Snort! <*- o" )~ Version 2.9.4.1 GRE (Build 69) '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.0.0 Using PCRE version: 7.8 2008-09-05 Using ZLIB version: 1.2.3 Commencing packet processing (pid=3644) ^C*** Caught Int-Signal =============================================================================== Run time for packet processing was 7.103551 seconds Snort processed 1354 packets. Snort ran for 0 days 0 hours 0 minutes 7 seconds Pkts/sec: 193 =============================================================================== Packet I/O Totals: Received: 1354 Analyzed: 1354 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 =============================================================================== Breakdown by protocol (includes rebuilt packets): Eth: 1354 (100.000%) VLAN: 0 ( 0.000%) IP4: 0 ( 0.000%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 0 ( 0.000%) TCP: 0 ( 0.000%) IP6: 0 ( 0.000%) IP6 Ext: 0 ( 0.000%) IP6 Opts: 0 ( 0.000%) Frag6: 0 ( 0.000%) ICMP6: 0 ( 0.000%) UDP6: 0 ( 0.000%) TCP6: 0 ( 0.000%) Teredo: 0 ( 0.000%) ICMP-IP: 0 ( 0.000%) IP4/IP4: 0 ( 0.000%) IP4/IP6: 0 ( 0.000%) IP6/IP4: 0 ( 0.000%) IP6/IP6: 0 ( 0.000%) GRE: 0 ( 0.000%) GRE Eth: 0 ( 0.000%) GRE VLAN: 0 ( 0.000%) GRE IP4: 0 ( 0.000%) GRE IP6: 0 ( 0.000%) GRE IP6 Ext: 0 ( 0.000%) GRE PPTP: 0 ( 0.000%) GRE ARP: 0 ( 0.000%) GRE IPX: 0 ( 0.000%) GRE Loop: 0 ( 0.000%) MPLS: 0 ( 0.000%) ARP: 0 ( 0.000%) IPX: 0 ( 0.000%) Eth Loop: 0 ( 0.000%) Eth Disc: 0 ( 0.000%) IP4 Disc: 0 ( 0.000%) IP6 Disc: 0 ( 0.000%) TCP Disc: 0 ( 0.000%) UDP Disc: 0 ( 0.000%) ICMP Disc: 0 ( 0.000%) All Discard: 0 ( 0.000%) Other: 1354 (100.000%) Bad Chk Sum: 0 ( 0.000%) Bad TTL: 0 ( 0.000%) S5 G 1: 0 ( 0.000%) S5 G 2: 0 ( 0.000%) Total: 1354 =============================================================================== Snort exiting [root@xxxanal01 khalavak] Same with tcpdump, not seeing any IP-traffic just weird "Unknown SSAP" and "Null information" packets: [root@xxxanal01 khalavak]# tcpdump -nn -i eth1 tcpdump: WARNING: eth1: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 20:55:14.105981 00:10:db:fc:45:00 Unknown SSAP 0x26 > 00:50:56:95:20:66 Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command], length 60 20:55:14.106120 00:50:56:95:45:00 > 00:10:db:fc:40:05 Null Information, send seq 32, rcv seq 0, Flags [Command], length 60 20:55:14.106840 00:10:db:fc:45:00 Unknown SSAP 0x26 > 00:50:56:95:20:66 Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response], length 52 20:55:14.107173 00:10:db:fc:45:00 Unknown SSAP 0x28 > 00:50:56:95:20:66 Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command], length 191 20:55:14.107275 00:50:56:95:45:00 Unknown SSAP 0x3e > 00:10:db:fc:40:05 Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Response], length 52 20:55:14.108298 00:50:56:95:45:00 Unknown SSAP 0x40 > 00:10:db:fc:40:05 Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Command], length 138 20:55:14.108354 00:50:56:95:45:00 Unknown SSAP 0x40 > 00:10:db:fc:40:05 Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Response], length 58 20:55:14.108423 00:50:56:95:45:00 STP > 00:10:db:fc:40:05 Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Command], length 89 20:55:14.109385 00:10:db:fc:45:00 Unknown SSAP 0x28 > 00:50:56:95:20:66 Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response], length 52 20:55:14.109395 00:10:db:fc:45:00 Unknown SSAP 0x2a > 00:50:56:95:20:66 Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command], length 52 20:55:14.109400 00:10:db:fc:45:00 Unknown SSAP 0x2a > 00:50:56:95:20:66 Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response], length 52 20:55:14.109488 00:10:db:fc:45:00 Unknown SSAP 0x2c > 00:50:56:95:20:66 Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command], length 95 20:55:14.109494 00:10:db:fc:45:00 Unknown SSAP 0x2c > 00:50:56:95:20:66 Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response], length 80 20:55:14.109567 00:50:56:95:45:00 STP > 00:10:db:fc:40:05 Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Response], length 52 20:55:14.110465 00:50:56:95:45:00 Unknown SSAP 0x44 > 00:10:db:fc:40:05 Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Command], length 1206 20:55:14.110546 00:50:56:95:45:00 Unknown SSAP 0x44 > 00:10:db:fc:40:05 Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Response], length 52 20:55:14.111141 00:10:db:fc:45:00 Unknown SSAP 0x2e > 00:50:56:95:20:66 Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command], length 52 20:55:14.111327 00:10:db:fc:45:00 Unknown SSAP 0x2e > 00:50:56:95:20:66 Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response], length 75 20:55:14.111338 00:10:db:fc:45:00 Unknown SSAP 0x30 > 00:50:56:95:20:66 Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command], length 52 20:55:14.111542 00:50:56:95:45:00 > 00:10:db:fc:40:05 Null Information, send seq 32, rcv seq 0, Flags [Command], length 46 20:55:14.111581 00:50:56:95:45:00 > 00:10:db:fc:40:05 Null Information, send seq 32, rcv seq 0, Flags [Command], length 46 20:55:14.119656 00:50:56:95:45:00 Unknown SSAP 0x44 > 00:50:56:95:20:64 Unknown DSAP 0xb6 Information, send seq 32, rcv seq 0, Flags [Command], length 240 ^C 22 packets captured 22 packets received by filter 0 packets dropped by kernel [root@xxxanal01 khalavak]# Best regards, Kim Halavakoski PGP S°: 0BFA A910 9AA7 94A5 A323 53F5 4151 4CE4 33BE 35FA kim.halavakoski () crosskey fi ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort Start up error, (continued)
- Re: Snort Start up error waldo kitty (Apr 18)
- Re: Snort Start up error Said Nurhussein (Apr 18)
- Re: Snort Start up error waldo kitty (Apr 19)
- Re: Snort not seeing IP-traffic, just Ether/Other Glenn Geller (Apr 18)
- Re: Snort not seeing IP-traffic, just Ether/Other James Lay (Apr 18)
- Re: Snort not seeing IP-traffic, just Ether/Other Kim.Halavakoski () Crosskey fi (Apr 18)
- Re: Snort not seeing IP-traffic, just Ether/Other Eoin Miller (Apr 18)
- Re: Snort not seeing IP-traffic, just Ether/Other Tony Robinson (Apr 18)
- Re: Snort not seeing IP-traffic, just Ether/Other Kim.Halavakoski () Crosskey fi (Apr 18)
- Message not available
- Re: Snort Start up error Said Nurhussein (Apr 19)