Snort mailing list archives
Re: VLAN tagging question
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 03 Dec 2001 15:39:19 -0500
I wrote a 802.1q decoder for Snort back around version 1.8, so in theory it should just work. -Marty Ryan Russell wrote:
On Tue, 4 Dec 2001, Fyodor wrote:I doubt it would be possible to deliver frames without the tag, cuz libpcap reads frames off the datalink directly, without having them processes through underlying OS tcp/ip stack (normally).Right. The VLAN software is part of the NIC driver. So, if you re-write the NIC driver to just chop off the VLAN tag, libpcap should pick them up OK. VLANs aren't related to TCP/IP. The Linux ISL driver I looked at, for example, patched the TULIP driver. It would allow you to configure eth0:vlan#, IIRC. In that instance, you would actually get a logically seperate interface. Given that, it ought to be possible to re-write the driver so that instead of creating a seperate interface, it keeps them under the physical interface, and drops the tag. Part of the software does the retrieval of the original frame already. You might even be able to keep the config syntax, so that you can monitor only certain VLANs. I have no idea how hard the mod would be, and it's beyond my abilities, I'm sure. (Note: I don't have the 802.1q spec in front of me, so don't take my word for it that you can simply "chop off" the VLAN tag. I don't know if which, if any, checksums cover that tag.) Ryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - President, Sourcefire Inc. - (410)552-6999 roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VLAN tagging question Wild, Andrew (Dec 03)
- Re: VLAN tagging question Ryan Russell (Dec 03)
- Re: VLAN tagging question Fyodor (Dec 03)
- Re: VLAN tagging question Ryan Russell (Dec 03)
- Re: VLAN tagging question Fyodor (Dec 03)
- Re: VLAN tagging question Martin Roesch (Dec 03)
- Re: VLAN tagging question Ryan Russell (Dec 03)
- Re: VLAN tagging question Martin Roesch (Dec 03)
- Re: VLAN tagging question Fyodor (Dec 03)
- Re: VLAN tagging question Ryan Russell (Dec 03)
- <Possible follow-ups>
- RE: VLAN tagging question Wild, Andrew (Dec 03)
- Re: VLAN tagging question SkatFiend (Dec 03)
- RE: VLAN tagging question Graeme Fowler (Dec 03)
- RE: VLAN tagging question Mike Shaw (Dec 03)
- RE: VLAN tagging question Ju Kong Fui (Dec 03)