That's very possible, the Token Ring users of Snort are a pretty small
set of people, and I think you're the first person that's tried it on
Windows. If you could capture some packets with Ethereal and mail them
to me (the binary packet captures), I'll see if I can update the
decoder.

     -Marty

bulent_sahintb.net.tr wrote:
>
> Yes, the interface name is correct. I tried, but same thing happened.
> Program captures some frames, but categorizes them as OTHER. I suppose
> that snort does not undestand token-ring, llc2 and snap headers?
> Thanks
> Bulent
>
> Martin Roesch
> <roeschsourcefire.com> To:
> Sent by: bulent_sahintb.net.tr
> roeschmail.sourcefire.com cc:
> snort-userslists.sourceforge.net
> 01.11.2001 17:04 Subject: Re:
> [Snort-users] Token ring support of
> snort
>
> Is that the right interface name for the T/R interface? To get a list
> of the interfaces that are available run 'snort -W', then set the
> sniffing interface with 'snort -i <intf>'
>
> -Marty
>
> bulent_sahintb.net.tr wrote:
> >
> > Hi,
> >
> > Does anybody know about token ring support of snort?A few days ago I
> > installed snort on my computer, but when I try "snort -v" it assumes
> > that all packets are ethernet packets. Winpcap and ethereal works
> > fine. I pasted "snort -v" output below.
> >
> > C:\Downloads\Snort-1.8.1-win32-static\Snort-1.8.1-win32\snort -v
> > Log directory =
> >
> > --== Initializing Snort ==--
> >
> > Initializing Network Interface \
> > Decoding Ethernet on interface \Device\Packet_MDGNDIS41
> >
> > --== Initialization Complete ==--
> >
> > -*> Snort! <*-
> > Version 1.8-WIN32 (Build 74)
> > By Martin Roesch (roeschsourcefire.com, www.snort.org)
> > 1.7-WIN32 Port By Michael Davis (mikedatanerds.net, ww
> > 1.8-WIN32 Port By Chris Reid (chris.reidcodecraftconsu
> > (based on code from 1.7 port)
> >
> > =======================================================
> > Snort analyzed 1312 out of 1312 packets, dropping 0(0.0
> >
> > Breakdown by protocol: Action Stats:
> > TCP: 0 (0.000%) ALERTS: 0
> > UDP: 0 (0.000%) LOGGED: 0
> > ICMP: 0 (0.000%) PASSED: 0
> > ARP: 0 (0.000%)
> > IPv6: 0 (0.000%)
> > IPX: 0 (0.000%)
> > OTHER: 1311 (99.924%)
> > DISCARD: 0 (0.000%)
> > =======================================================
> > Fragmentation Stats:
> > Fragmented IP Packets: 0 (0.000%)
> > Fragment Trackers: 0
> > Rebuilt IP Packets: 0
> > Frag elements used: 0
> > Discarded(incomplete): 0
> > Discarded(timeout): 0
> > Frag2 memory faults: 0
> > =======================================================
> > TCP Stream Reassembly Stats:
> > TCP Packets Used: 0 (0.000%)
> > Stream Trackers: 0
> > Stream flushes: 0
> > Segments used: 0
> > Stream4 Memory Faults: 0
> > =======================================================
> > pcap_loop: read error: PacketReceivePacket failedpcap_s
> > r
> > Snort received signal 3, exiting
> >
> > Thanks,
> > Bulent
>
> --
> Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> roeschsourcefire.com - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org

--
Martin Roesch - President, Sourcefire Inc. - (410)552-6999
roeschsourcefire.com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]