Re: VLAN tagging question

[Fyodor <fygrave () tigerteam net>]

On Mon, Dec 03, 2001 at 10:05:25AM -0700, Ryan Russell wrote:
> On Mon, 3 Dec 2001, Wild, Andrew wrote:
>
> > Can I use a tap to monitor an Ethernet trunk (full duplex connection with
> > every frame containing 802.1q vlan tags) and have SNORT understand the
> > frames?  How do you configure the interface to recognize and strip off the
> > vlan tags?
>
> That would be the OS or libpcap's problem, I imagine.  Worse, you might

No, actually snort (or any other piece of software over libpcap)
normally supposed to do that. There was actually someone who was going
to port snort to support some vlan tags, but donno how far it gone. if
someone could make a tcpdump binary file and put it online, I may try to
have a look to see if it could be done quickly. (not having much time
these days though :(()

> If you can deliver the frames with the tags still on, the then app
> (libpcap or Snort, depending) will have to understand/ignore them.  If you
> can deliver the frames without the tag, the apps don't have to change.  I
> imagine the latter would be the way to go.
 I doubt it would be possible to deliver frames without the tag, cuz
libpcap reads frames off the datalink directly, without having them
processes through underlying OS tcp/ip stack (normally).

-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users