Snort mailing list archives

Re: 802.1q Monitoring

From: Jeff Nathan <jeff () snort org>
Date: Fri, 06 Jun 2003 15:25:48 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Friday, June 6, 2003 10:43 -0400 Chris Green <cmg () sourcefire com> 
wrote:


Extend DecodeVlan() to be able to decode what it finds in decode.c and
submit a patch to snort-devel and traffic captures of your trunked vlan
configuration.

Even if you don't have C skills, please send (atleast me) a packet
caputure of your trunked vlan.

Even if 1 snort config won't work for your vlans, you can use bpf to
filter by vlan id before it goes to snort and then run a separate
snort on each vlan.
--
Chris Green <cmg () sourcefire com>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod


Trunking just tells the switch to preserve the 802.1Q tag when sending a 
frame out an interface.

802.1Q specifies the following format for Ethernet:

dst_addr, src_addr, TPID, TCI, Ethertype

The 802.1Q specific "additions" are the following:
2 byte TPID
2 byte TCI
2 byte Ethertype (802.3)
2-30 byte E-RIF (Unused in Ethernet)

TPID: Tag Protocol identifier (indicating 802.1Q is used, value 0x8100)

TCI:  Tag Control Information.  Consists of three fields: user_priority, 
CFI,
      VLAN-ID.

      * user_priority: [three most significant bits from the high order 
byte]
        specifying priority levels 0 - 7.

      * CFI (Canonical Format Indicator): [next bit following 
user_priority]
        1 indicates the presence of E-RIF data while 0 indicates no E-RIF
        data.

      * VLAN ID: twelve bit VLAN identifier.

Ethertype: standard 802.3

E-RIF : in Ethernet this value is 0 (reset) indicating no E-RIF data is 
present
        in the header following the Ethertype.

That should get you going, Chris.

- -Jeff

- --
http://cerberus.sourcefire.com/~jeff       (gpg key available)
Great spirits have always encountered violent opposition from mediocre
minds.
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+4Rb1Eqr8+Gkj0/0RAoVQAJ9Gadaf7zn+URj4zdolE88yBVF1nACgsA+j
tcFnl8XuNb3XS2D7p/mo54o=
=Sy/8
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

802.1q Monitoring Ron Shuck (Jun 05)
- Re: 802.1q Monitoring Bennett Todd (Jun 06)
  - Re: 802.1q Monitoring Chris Green (Jun 06)
    - Re: 802.1q Monitoring Jeff Nathan (Jun 06)
- Re: 802.1q Monitoring Jeff Nathan (Jun 06)
- <Possible follow-ups>
- RE: 802.1q Monitoring Ron Shuck (Jun 06)
  - Re: 802.1q Monitoring Chris Green (Jun 06)