Hi all,
I have a DSL connection with PPPoE, and been having problems with tcpdump
filtering. RH 7.2 boxes with libpcap 0.6.2/0.7.1 and tcpdump 3.6.2/3.7.1
Internet <-> dsl modem <-> hub/tap <-> router <-> LAN (switch)
|
|
V
(snort, tcpdump)
I am snort'ing and using tcpdump from the tap, which is an 8 port hub,
therefore I'm seeing "raw" PPPoE packets. I use a dedicated NIC for snort
and tcpdump, which is brought up "stealth"..ie no IP address or mask.
The problem I face is that no matter how simple the filter expression I use
with tcpdump, it doesn't work. Straight dumps using -w <logfile> dump
everything fine, but this isn't always practical and what I'm after.
For example: (eth1 is my stealth NIC)
/usr/sbin/tcpdump -i eth1 host 1.2.3.4
/usr/sbin/tcpdump -i eth1 port 27374
If I then use an external shell account and try to telnet back in to the
specific port(s) etc, the filters never work. In addition, I have tried
altering the -s snaplen from the default, to 0 and others to no avail.
I realize that encapsulation occurs with PPPoE, however snort 1.8.3-5 and
1.8.4-1 have no difficulties running in IDS mode from the same tap.
Unfortunately I do not really code and therefore lack the necessary coding
skills to further troubleshoot this. I would appreciate any explanation(s)
or perhaps a future fix or patch.
Cheers,
Christopher J. Oliver
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
