RE: VLAN tagging question

["Wild, Andrew" <AWild () tnsi com>]

        OK, I understand this, but I want to monitor multiple VLANs at the
same time without having to span ports and use multiple ethernet interfaces
on my IDS host.




> I would not try to monitor the VLAN trunk directly. Instead span the trunk
> port from your switch to another port on the same switch that your snort
> box will monitor. With Cisco the default management vlan "1" is probably
> the one you wish to monitor. You can grab all the traffic with a port span
> without having to be concerned about 802.1q vlan tags.
>
> Cliff
>
>
> In a message dated 12/3/2001 8:28:38 AM Eastern Standard Time,
> AWild () tnsi com writes:
>
>
>
>
>       Don't know if this is possible, since I'm not sure where the VLAN
> tags are
>       removed from an Ethernet frame.
>       
>       Can I use a tap to monitor an Ethernet trunk (full duplex connection
> with
>       every frame containing 802.1q vlan tags) and have SNORT understand
> the
>       frames?  How do you configure the interface to recognize and strip
> off the
>       vlan tags?  I expect to have the interface configured without an IP
> address
>       running in promiscuous mode capturing all frames.  Is this OS
> dependent, or
>       does the app need to be aware of the vlan tags?
>       
>       _______________________________________________
>       Snort-users mailing list
>       Snort-users () lists sourceforge net
>       Go to this URL to change user options or unsubscribe:
>       https://lists.sourceforge.net/lists/listinfo/snort-users
>       Snort-users list archive:
>       http://www.geocrawler.com/redir-sf.php3?list=snort-users
>       

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users