The solution to my problem (see original query below) was to make
sure the interface was in promiscuous mode with copy-all turned on.
The command required was
pfconfig +p +c ln0
Thanks to all respondents, especially
Darryl Cook <dlc_at_cs.appstate.edu>
Jeffrey Mogul <mogul_at_actitis.pa.dec.com>
who both provided the correct solution.
Richard
Original query:
> I have just compiled up and istalled libpcap (v0.4) and snort (v1.7)
> on a Tru64 v4.0F system. While the software does not crash, I am
> concerned that it appears not to see any TCP or ICMP traffic at all
> (plenty of UDP, ARP and IPX). About half of all traffic is classified
> as "Other", which makes me think the TCP and ICMP is somehow being
> mis-classified.
>
> The libpcap software compiled fine with cc, but I had to use gcc to
> get a clean compile of snort.
>
> Any ideas?
-----------------------------------
Richard Rogers
Information Technology Services
Staffordshire University
Tel: 01785 (+44 1785) 353392
E-mail: R.M.Rogers_at_staffs.ac.uk
...Sit back, relax, and soon it will just go away...
Received on Mon Apr 09 2001 - 08:21:17 NZST