Re: VLAN tagging question

[SkatFiend () aol com]

I would not try to monitor the VLAN trunk directly. Instead span the trunk 
port from your switch to another port on the same switch that your snort box 
will monitor. With Cisco the default management vlan "1" is probably the one 
you wish to monitor. You can grab all the traffic with a port span without 
having to be concerned about 802.1q vlan tags.

Cliff


In a message dated 12/3/2001 8:28:38 AM Eastern Standard Time, AWild () tnsi com 
writes:


> Don't know if this is possible, since I'm not sure where the VLAN tags are
> removed from an Ethernet frame.
>
> Can I use a tap to monitor an Ethernet trunk (full duplex connection with
> every frame containing 802.1q vlan tags) and have SNORT understand the
> frames?  How do you configure the interface to recognize and strip off the
> vlan tags?  I expect to have the interface configured without an IP address
> running in promiscuous mode capturing all frames.  Is this OS dependent, or
> does the app need to be aware of the vlan tags?
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users