Date: Fri, 12 Jul 2002 10:55:18 -0400 From: freebsd <freebsd@epx.com> To: net@freebsd.org Subject: Question about network layers in FreeBSD 4.x Message-ID: <200207121455.g6CEtI400824@ux340prd.epx.com>
next in thread | raw e-mail | index | archive | help
I have a system I run FreeBSD 4.5-release on. The purpose of this system is to run Snort (IDS). The current system is a Compaq Proliant 1850R, have also tried on a Compaq Proliant 1600R. Both systems are SMP with dual processors, > 256m ram, and Compaq Smart Array controller to handle raid in hardware. I want to use this box to monitor multiple lan segments. So I use the builtin tlan eth for mgmt, and than add other nics with no IP addresses for snort to listen on. This works great when I use distinct multiple NIC cards. 3com + Intel + Realtek. However, when I try to use a quad ethernet card, it fails. The programs don't bomb, no errors reported. But there is amount of activity that doesn't get picked up when using the quad cards vs. when using the multiple NICs scenario. For example, if someone in lan segment x.x.a.x connects to a *nix server in x.x.b.x (both monitored by this box), and a suspicious event occurs I will see it captured by both of the snort interfaces. If, however, I put in the quad card, and the same thing happens, it will only be seen/recorded by one of the snort nic instances. I have tried this with a Znyx ZX346Q and with an Adaptec quad card. With the Znyx I tried both the default freebsd drivers it sees that card as and also with the Znyx drivers. This seems to be a problem somewhere other than in the NIC driver itself. Any suggestions or insight into what might be wrong here would be greatly appreciated. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200207121455.g6CEtI400824>