PPPoE when Snort not talking listening on PPP interface

[Wynn Fenwick <wfenwick () FHLSim com>]

Here is my home LAN topology:

[ISP]---[DSL Bridge]--[enet_hub]---[PPPoE_gw]----[private_hub]---[hosts]

                          |                           |
                          +------[e1_Snort__e0]-------*
                                 [   Sensor   ]

PPPoE flows on the outside enet_hub. e1 on my Snort sensor is not
configured with an IP address. It runs in promisc mode, picking up on
the PPPoE datagrams flowing across and terminating on my PPPoE_gw.

My PPPoE_gw is a proprietary box, incapable of running snort on it.

The issue is that neither Snort nor SHADOW can figure this out. I have
walked through endless pages talking about dynamic and static IP's and
sniffing PPP interfaces that only exist when they are up.

I suppose I could go hotwire the libpcap stuff so that the IPoPPPoE is
decoded as IPoE, but it might take until the next ice age for me to
finish it correctly.

Is anyone else working on this?

W

--
FHLSim - The Fantasy Hockey League Simulator of Choice
http://www.FHLSim.com/