From owner-freebsd-security  Tue Jun 12 13:19:11 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cithaeron.argolis.org (bgm-24-169-175-136.stny.rr.com [24.169.175.136])
	by hub.freebsd.org (Postfix) with ESMTP id 2D79A37B409
	for <freebsd-security@FreeBSD.ORG>; Tue, 12 Jun 2001 13:18:55 -0700 (PDT)
	(envelope-from piechota@argolis.org)
Received: from localhost (piechota@localhost)
	by cithaeron.argolis.org (8.11.3/8.11.3) with ESMTP id f5CKIn401289;
	Tue, 12 Jun 2001 16:18:49 -0400 (EDT)
	(envelope-from piechota@argolis.org)
X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs
Date: Tue, 12 Jun 2001 16:18:49 -0400 (EDT)
From: Matt Piechota <piechota@argolis.org>
To: "Derek O'Flynn" <derekoflynn@hotmail.com>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: Re: snort/tcpdump not showing tcp packets
In-Reply-To: <F21iyhGvDpEDiOa7ddh000002a3@hotmail.com>
Message-ID: <20010612160917.V445-100000@cithaeron.argolis.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, 12 Jun 2001, Derek O'Flynn wrote:

> I have two machines, one running freebsd 4.0, and one running 4.3. They are
> physically connected to the same hub (same segment)
>
> When running tcpdump or snort on the 4.0 box, I get traffic from a variety
> of protocols
>
> However, when I run tcpdump or snort on the 4.0 box, I get traffic from a
> variety of protocols, but no tcp protocol traffic.  The only time tcp
> protocol shows up is if I connect to the web server on the 4.3 box from
> another machine.

I assume you meant the 4.3 box in the above paragraph?

> Strangest thing I've ever seen!  Anyway, I thought it might have been cause
> I did a minimal installation, and maybe something was disabled, so I setup
> the box again with a full install of everything but X, and the same thing is
> occurring.  I then thought it was the network card, but that can't be cause
> it is receiving tcp packets, but only those destined for the machine,
> nothing else on the segment.  Is there a setting that causes it to only see
> it's tcp packets (note: it is seeing icmp/udp/arp packets from other
> sources)
>
> Does anyone know if there's something weird with 4.3 that would cause this?
> I'm running the 4.3 iso image downloaded from freebsd.  It hasn't been
> modified at all, standard installation.

I'm running the same release as a dedicated sniffer device on a PC (Intel
EEPro 100B NIC), and an IBM Stinkpad w/#com 3c574-TX NIC.  It works
perfectly (as far as I can tell).  Could this be a problem with your
specific card/driver and it's interaction with the TCPIP stack?

-- 
Matt Piechota
Finger piechota@emailempire.com for PGP key
AOL IM: cithaeron


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message