Snort mailing list archives
Re: Snort not seeing IP-traffic, just Ether/Other
From: Michal Purzynski <michal () rsbac org>
Date: Thu, 18 Apr 2013 20:45:19 +0200
Are you running SO in a VM of any kind? Is the ifconfig output on the sniffing interface growing as it should be? On 4/18/13 8:01 PM, Kim.Halavakoski () Crosskey fi wrote:
Hello,
I have setup a snort-sensor on a RedHat Linux box with traffic from a
switch span-port feeding eth1 on the box. The traffic contains
vlan-tagged traffic, if that makes any difference.
The problem is that I am just getting some weird multicast / SSAP and
DSAP encapsulated Ethernet frames on that interface on the Linux box,
but when a colleague plugged in his laptop with Windows 7 on the same
port it saw all the traffic that I would like to see, meaning IP-traffic
from the monitored networks.
So Windows 7 sees the traffic, but the Linux box running snort just sees
weird multicast / SSAP / DSAP traffic. tcpdump does not show any IP
traffic either. I know this is probably not a snort-question per se, but
being snort-users list I think some of you guys might have som good
insights to this behaviour, probably easy to fix but I just can't get it
right now :( Any ideas on what I am doing wrong here?
The interface is set in promiscuous mode:
[root@xxxanal01 khalavak]# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:14:5E:2A:34:85
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:3668068 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:628710729 (599.5 MiB) TX bytes:0 (0.0 b)
Interrupt:16
Snort sees only Ether and Other traffic:
[root@xxxanal01 khalavak]# snort -i eth1
Running in packet dump mode
--== Initializing Snort ==--
Initializing Output Plugins!
pcap DAQ configured to passive.
Acquiring network traffic from "eth1".
Decoding Ethernet
--== Initialization Complete ==--
,,_ -*> Snort! <*-
o" )~ Version 2.9.4.1 GRE (Build 69)
'''' By Martin Roesch & The Snort Team:
http://www.snort.org/snort/snort-team
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using libpcap version 1.0.0
Using PCRE version: 7.8 2008-09-05
Using ZLIB version: 1.2.3
Commencing packet processing (pid=3644)
^C*** Caught Int-Signal
===============================================================================
Run time for packet processing was 7.103551 seconds
Snort processed 1354 packets.
Snort ran for 0 days 0 hours 0 minutes 7 seconds
Pkts/sec: 193
===============================================================================
Packet I/O Totals:
Received: 1354
Analyzed: 1354 (100.000%)
Dropped: 0 ( 0.000%)
Filtered: 0 ( 0.000%)
Outstanding: 0 ( 0.000%)
Injected: 0
===============================================================================
Breakdown by protocol (includes rebuilt packets):
Eth: 1354 (100.000%)
VLAN: 0 ( 0.000%)
IP4: 0 ( 0.000%)
Frag: 0 ( 0.000%)
ICMP: 0 ( 0.000%)
UDP: 0 ( 0.000%)
TCP: 0 ( 0.000%)
IP6: 0 ( 0.000%)
IP6 Ext: 0 ( 0.000%)
IP6 Opts: 0 ( 0.000%)
Frag6: 0 ( 0.000%)
ICMP6: 0 ( 0.000%)
UDP6: 0 ( 0.000%)
TCP6: 0 ( 0.000%)
Teredo: 0 ( 0.000%)
ICMP-IP: 0 ( 0.000%)
IP4/IP4: 0 ( 0.000%)
IP4/IP6: 0 ( 0.000%)
IP6/IP4: 0 ( 0.000%)
IP6/IP6: 0 ( 0.000%)
GRE: 0 ( 0.000%)
GRE Eth: 0 ( 0.000%)
GRE VLAN: 0 ( 0.000%)
GRE IP4: 0 ( 0.000%)
GRE IP6: 0 ( 0.000%)
GRE IP6 Ext: 0 ( 0.000%)
GRE PPTP: 0 ( 0.000%)
GRE ARP: 0 ( 0.000%)
GRE IPX: 0 ( 0.000%)
GRE Loop: 0 ( 0.000%)
MPLS: 0 ( 0.000%)
ARP: 0 ( 0.000%)
IPX: 0 ( 0.000%)
Eth Loop: 0 ( 0.000%)
Eth Disc: 0 ( 0.000%)
IP4 Disc: 0 ( 0.000%)
IP6 Disc: 0 ( 0.000%)
TCP Disc: 0 ( 0.000%)
UDP Disc: 0 ( 0.000%)
ICMP Disc: 0 ( 0.000%)
All Discard: 0 ( 0.000%)
Other: 1354 (100.000%)
Bad Chk Sum: 0 ( 0.000%)
Bad TTL: 0 ( 0.000%)
S5 G 1: 0 ( 0.000%)
S5 G 2: 0 ( 0.000%)
Total: 1354
===============================================================================
Snort exiting
[root@xxxanal01 khalavak]
Same with tcpdump, not seeing any IP-traffic just weird "Unknown SSAP"
and "Null information" packets:
[root@xxxanal01 khalavak]# tcpdump -nn -i eth1
tcpdump: WARNING: eth1: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
20:55:14.105981 00:10:db:fc:45:00 Unknown SSAP 0x26 > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
length 60
20:55:14.106120 00:50:56:95:45:00 > 00:10:db:fc:40:05 Null Information,
send seq 32, rcv seq 0, Flags [Command], length 60
20:55:14.106840 00:10:db:fc:45:00 Unknown SSAP 0x26 > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
length 52
20:55:14.107173 00:10:db:fc:45:00 Unknown SSAP 0x28 > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
length 191
20:55:14.107275 00:50:56:95:45:00 Unknown SSAP 0x3e > 00:10:db:fc:40:05
Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Response],
length 52
20:55:14.108298 00:50:56:95:45:00 Unknown SSAP 0x40 > 00:10:db:fc:40:05
Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Command],
length 138
20:55:14.108354 00:50:56:95:45:00 Unknown SSAP 0x40 > 00:10:db:fc:40:05
Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Response],
length 58
20:55:14.108423 00:50:56:95:45:00 STP > 00:10:db:fc:40:05 Unknown DSAP
0x78 Information, send seq 32, rcv seq 0, Flags [Command], length 89
20:55:14.109385 00:10:db:fc:45:00 Unknown SSAP 0x28 > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
length 52
20:55:14.109395 00:10:db:fc:45:00 Unknown SSAP 0x2a > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
length 52
20:55:14.109400 00:10:db:fc:45:00 Unknown SSAP 0x2a > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
length 52
20:55:14.109488 00:10:db:fc:45:00 Unknown SSAP 0x2c > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
length 95
20:55:14.109494 00:10:db:fc:45:00 Unknown SSAP 0x2c > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
length 80
20:55:14.109567 00:50:56:95:45:00 STP > 00:10:db:fc:40:05 Unknown DSAP
0x78 Information, send seq 32, rcv seq 0, Flags [Response], length 52
20:55:14.110465 00:50:56:95:45:00 Unknown SSAP 0x44 > 00:10:db:fc:40:05
Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Command],
length 1206
20:55:14.110546 00:50:56:95:45:00 Unknown SSAP 0x44 > 00:10:db:fc:40:05
Unknown DSAP 0x78 Information, send seq 32, rcv seq 0, Flags [Response],
length 52
20:55:14.111141 00:10:db:fc:45:00 Unknown SSAP 0x2e > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
length 52
20:55:14.111327 00:10:db:fc:45:00 Unknown SSAP 0x2e > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Response],
length 75
20:55:14.111338 00:10:db:fc:45:00 Unknown SSAP 0x30 > 00:50:56:95:20:66
Unknown DSAP 0x6c Information, send seq 32, rcv seq 0, Flags [Command],
length 52
20:55:14.111542 00:50:56:95:45:00 > 00:10:db:fc:40:05 Null Information,
send seq 32, rcv seq 0, Flags [Command], length 46
20:55:14.111581 00:50:56:95:45:00 > 00:10:db:fc:40:05 Null Information,
send seq 32, rcv seq 0, Flags [Command], length 46
20:55:14.119656 00:50:56:95:45:00 Unknown SSAP 0x44 > 00:50:56:95:20:64
Unknown DSAP 0xb6 Information, send seq 32, rcv seq 0, Flags [Command],
length 240
^C
22 packets captured
22 packets received by filter
0 packets dropped by kernel
[root@xxxanal01 khalavak]#
Best regards,
Kim Halavakoski
PGP S°: 0BFA A910 9AA7 94A5 A323 53F5 4151 4CE4 33BE 35FA
kim.halavakoski () crosskey fi
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Snort Start up error, (continued)
- Re: Snort Start up error waldo kitty (Apr 18)
- Re: Snort Start up error Said Nurhussein (Apr 18)
- Re: Snort Start up error waldo kitty (Apr 19)
- Re: Snort not seeing IP-traffic, just Ether/Other Glenn Geller (Apr 18)
- Re: Snort not seeing IP-traffic, just Ether/Other James Lay (Apr 18)
- Re: Snort not seeing IP-traffic, just Ether/Other Kim.Halavakoski () Crosskey fi (Apr 18)
- Re: Snort not seeing IP-traffic, just Ether/Other Eoin Miller (Apr 18)
- Re: Snort not seeing IP-traffic, just Ether/Other Tony Robinson (Apr 18)
- Re: Snort not seeing IP-traffic, just Ether/Other Kim.Halavakoski () Crosskey fi (Apr 18)
- Message not available
- Re: Snort Start up error Said Nurhussein (Apr 19)