Snort mailing list archives
Re: VLAN tagging question
From: Fyodor <fygrave () tigerteam net>
Date: Tue, 4 Dec 2001 00:41:49 +0700
On Mon, Dec 03, 2001 at 10:42:21AM -0700, Ryan Russell wrote:
On Tue, 4 Dec 2001, Fyodor wrote:I doubt it would be possible to deliver frames without the tag, cuz libpcap reads frames off the datalink directly, without having them processes through underlying OS tcp/ip stack (normally).Right. The VLAN software is part of the NIC driver. So, if you re-write the NIC driver to just chop off the VLAN tag, libpcap should pick them up OK. VLANs aren't related to TCP/IP.
Wrongly worded: libpcap will give you the frame including the datalink protocol header. I guess with libpcap you will be able to see that. Although it should be probably possible to hack the driver of strip off vlan header, and replace(?) it with ethernet or whichever type the libpcap would detect the interface as. (or hack libpcap as well, to return ethernet, cuz otherwise you'd have to add support to snort as well). Linux's interface: 'any' is one of the examples of 'virtual' interfaces handling in kernel space.
The Linux ISL driver I looked at, for example, patched the TULIP driver. It would allow you to configure eth0:vlan#, IIRC. In that instance, you would actually get a logically seperate interface. Given that, it ought to be possible to re-write the driver so that instead of creating a seperate interface, it keeps them under the physical interface, and drops the tag. Part of the software does the retrieval of the original frame already. You might even be able to keep the config syntax, so that you can monitor only certain VLANs. I have no idea how hard the mod would be, and it's beyond my abilities, I'm sure.
yup. makes sense. -- http://www.notlsd.net PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VLAN tagging question Wild, Andrew (Dec 03)
- Re: VLAN tagging question Ryan Russell (Dec 03)
- Re: VLAN tagging question Fyodor (Dec 03)
- Re: VLAN tagging question Ryan Russell (Dec 03)
- Re: VLAN tagging question Fyodor (Dec 03)
- Re: VLAN tagging question Martin Roesch (Dec 03)
- Re: VLAN tagging question Ryan Russell (Dec 03)
- Re: VLAN tagging question Martin Roesch (Dec 03)
- Re: VLAN tagging question Fyodor (Dec 03)
- Re: VLAN tagging question Ryan Russell (Dec 03)
- <Possible follow-ups>
- RE: VLAN tagging question Wild, Andrew (Dec 03)
- Re: VLAN tagging question SkatFiend (Dec 03)
- RE: VLAN tagging question Graeme Fowler (Dec 03)
- RE: VLAN tagging question Mike Shaw (Dec 03)
- RE: VLAN tagging question Ju Kong Fui (Dec 03)