I had the similar report while ago that running snort on real tocket ring iface brings lots of junk while tcpdump saved file interpreted just fine. The thing is that I never had any access to tockenring device while coding tockenring support piece, therefore I used tcpdump files to figure out the protocol/test the code. The person who was assiting me at that time, told, that it worked on real device as well, but maybe something got changed. if someone could provide me with access to a box with token ring interface on it, I may try to fix tokerning support.

On Thu, Nov 01, 2001 at 11:02:29AM -0500, Martin Roesch wrote:
> That's very possible, the Token Ring users of Snort are a pretty small
> set of people, and I think you're the first person that's tried it on
> Windows. If you could capture some packets with Ethereal and mail them
> to me (the binary packet captures), I'll see if I can update the
> decoder.
>
> -Marty
>
> bulent_sahintb.net.tr wrote:
> >
> > Yes, the interface name is correct. I tried, but same thing happened.
> > Program captures some frames, but categorizes them as OTHER. I suppose
> > that snort does not undestand token-ring, llc2 and snap headers?
> > Thanks
> > Bulent
> >
> > Martin Roesch
> > <roeschsourcefire.com> To:
> > Sent by: bulent_sahintb.net.tr
> > roeschmail.sourcefire.com cc:
> > snort-userslists.sourceforge.net
> > 01.11.2001 17:04 Subject: Re:
> > [Snort-users] Token ring support of
> > snort
> >
> > Is that the right interface name for the T/R interface? To get a list
> > of the interfaces that are available run 'snort -W', then set the
> > sniffing interface with 'snort -i <intf>'
> >
> > -Marty
> >
> > bulent_sahintb.net.tr wrote:
> > >
> > > Hi,
> > >
> > > Does anybody know about token ring support of snort?A few days ago I
> > > installed snort on my computer, but when I try "snort -v" it assumes
> > > that all packets are ethernet packets. Winpcap and ethereal works
> > > fine. I pasted "snort -v" output below.
> > >
> > > C:\Downloads\Snort-1.8.1-win32-static\Snort-1.8.1-win32\snort -v
> > > Log directory =
> > >
> > > --== Initializing Snort ==--
> > >
> > > Initializing Network Interface \
> > > Decoding Ethernet on interface \Device\Packet_MDGNDIS41
> > >
> > > --== Initialization Complete ==--
> > >
> > > -*> Snort! <*-
> > > Version 1.8-WIN32 (Build 74)
> > > By Martin Roesch (roeschsourcefire.com, www.snort.org)
> > > 1.7-WIN32 Port By Michael Davis (mikedatanerds.net, ww
> > > 1.8-WIN32 Port By Chris Reid (chris.reidcodecraftconsu
> > > (based on code from 1.7 port)
> > >
> > > =======================================================
> > > Snort analyzed 1312 out of 1312 packets, dropping 0(0.0
> > >
> > > Breakdown by protocol: Action Stats:
> > > TCP: 0 (0.000%) ALERTS: 0
> > > UDP: 0 (0.000%) LOGGED: 0
> > > ICMP: 0 (0.000%) PASSED: 0
> > > ARP: 0 (0.000%)
> > > IPv6: 0 (0.000%)
> > > IPX: 0 (0.000%)
> > > OTHER: 1311 (99.924%)
> > > DISCARD: 0 (0.000%)
> > > =======================================================
> > > Fragmentation Stats:
> > > Fragmented IP Packets: 0 (0.000%)
> > > Fragment Trackers: 0
> > > Rebuilt IP Packets: 0
> > > Frag elements used: 0
> > > Discarded(incomplete): 0
> > > Discarded(timeout): 0
> > > Frag2 memory faults: 0
> > > =======================================================
> > > TCP Stream Reassembly Stats:
> > > TCP Packets Used: 0 (0.000%)
> > > Stream Trackers: 0
> > > Stream flushes: 0
> > > Segments used: 0
> > > Stream4 Memory Faults: 0
> > > =======================================================
> > > pcap_loop: read error: PacketReceivePacket failedpcap_s
> > > r
> > > Snort received signal 3, exiting
> > >
> > > Thanks,
> > > Bulent
> >
> > --
> > Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> > roeschsourcefire.com - http://www.sourcefire.com
> > Snort: Open Source Network IDS - http://www.snort.org
>
> --
> Martin Roesch - President, Sourcefire Inc. - (410)552-6999
> roeschsourcefire.com - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]