|
|
|
|
Snort Forums Archive
Archive Home » Windows » TCP not seen on second NIC
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
TCP not seen on second NIC
Posted by burenh on December 28, 2005 10:10:32
I posted the following cry for help in the Newbies section and got only one response. Maybe here?
I have Snort 2.4 running on Windows XP sp2, with two NIC cards. One is regular NIC, and the second is set with no IP address and no protocol ...
When running as "snort -dev -i 2", the only activity I see is UDP and ARP packets. No TCP packets. If I look at the first NIC, then TCP traffic is visible.
The second interface is connected to a hub that is inserted between our internet router and the lan switch. When I set the NIC 2 to use Internet Protocol (TCP/IP), it gets an IP address assigned, and then it sees TCP traffic - but only traffic that is relevant to that machine. Is there something special I need to do to make the NIC work in promiscuous mode? Do I need a special NIC?
Thanks! |
|
Posted by Trostycp on January 01, 2006 09:33:10
I'm having a vary similar problem on mine (can't pick up TCP on NIC#3[-i4]).
Although on mine the TCP packets display as OTHER when the snort instance is killed at the statistics show up.
Although I do have an associated IP address on the NIC....
Any solutions since your post?
Ryan
|
|
Posted by burenh on January 01, 2006 10:01:28
No solution yet - but something I read suggested that maybe the NIC is not working in promiscuous mode - maybe a limitation of the device. I have several other NIC brands available, so will be trying them in the near future.
...buren
|
|
Posted by chris on January 06, 2006 15:18:34
Hi guys, if you fire up a copy of Ethereal, can you capture on the interfaces in question? Which versions of WinPcap are you using? Which manufacture of NICs do you have |
|
Posted by burenh on January 11, 2006 08:53:56
OK, here is some more info.
I tried NICs:
D-Link DE-530+ Ethernet Adapter
Linksys LNE100TX v5.1 Etherfast Adapter
Intel PRO/100 S Desktop Adapter
Same results on each of them.
I installed Ethereal - and it suggested I update my WinPcap from 3.0 to 3.1. I did the WinPcap update as suggested. Then, running Ethereal, I see UDP: 30%, ARP: 30%, and IPX: 40%. These percentages vary, of course. No TCP traffic observed.
One other note - as noted previously, I have my IDS port connected to a hub (Linksys EFAH05W 5-port hub) inserted between the internet firewall and our LAN. There is a lot of link activity showing on the internet link ports, but none on the IDS port.
...buren
|
|
Posted by chris on January 15, 2006 04:19:08
Hi Buren,
sorry for the late reply, it's been a busy week, it seems like the TCP traffic is being dropped somewhere since you are seeing all other kinds of traffic.
Just to get a better picture you've got a setup like "Internet - router - Hub - LAN".
With your IDS off the one of the hub ports?
On your FW are there any access control's that might be dropping the TCP traffic ?
Have you tried moving the Hub to the Internet side of the FW just to check you are able to receive TCP traffic via the Hub port.
Chris |
|
Posted by burenh on January 25, 2006 03:59:36
Finally - got it to work! Turns out the problem was the hub. Apparently the Linksys EFAH05W hub doesn't operate like a real hub - making all traffic visible on all ports. I tried inserting one of the passive taps (described on the Snort site) in the line and can see other TCP traffic.
However, the passive tap only sees the traffic for one direction. Either I'll have to get another "real" hub, or find a way to reassemble the traffic from both directions on the passive tap.
Thanks |
|
|
|
|
|
