Re: 802.1q Monitoring

[Chris Green <cmg () sourcefire com>]

Bennett Todd <bet () rahul net> writes:

> 2003-06-05T16:46:00 Ron Shuck:
> > Has anyone implemented or tried to monitor a 802.1q (trunked)
> > connection with Snort?

[...]

> If one snort config will work for all your vlans,

Extend DecodeVlan() to be able to decode what it finds in decode.c and
submit a patch to snort-devel and traffic captures of your trunked vlan
configuration.

Even if you don't have C skills, please send (atleast me) a packet
caputure of your trunked vlan.

Even if 1 snort config won't work for your vlans, you can use bpf to
filter by vlan id before it goes to snort and then run a separate
snort on each vlan.
-- 
Chris Green <cmg () sourcefire com>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod


-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users