Snort mailing list archives

Re: 802.1q Monitoring

From: Jeff Nathan <jeff () snort org>
Date: Fri, 06 Jun 2003 15:43:16 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I replied to Chris Green before looking at DecodeVlan.

Snort is already capable of decoding 802.1Q.  A trunk port simply carries 
802.1Q tags when sending frames out an interface.  Thus, it should work as 
is for your purposes.

- -Jeff

- --On Thursday, June 5, 2003 15:46 -0500 Ron Shuck <rshuck () Buchanan com> 
wrote:

Hi,

Has anyone implemented or tried to monitor a 802.1q (trunked) connection
with Snort? I saw that DLink has a 802.1q compatible card, and that it
appears to be supported under Linux. I have several remote locations
that do not have a huge amount of traffic, but there are several VLANS.
It would be much easier and get the most coverage to port mirror/tap the
WAN connection, but it is trunked.

Any help would be greatly appreciated.


Thanks,

Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant
Buchanan Associates - A Technology Company in the People Business


-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




- --
http://cerberus.sourcefire.com/~jeff       (gpg key available)
Great spirits have always encountered violent opposition from mediocre
minds.
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+4RkIEqr8+Gkj0/0RAmBlAKCW9MS2Jtt24M2/SQg5NHbqGSOpQACffqIt
rlf6dl45PPKCNSOIGJg+fxw=
=6T+b
-----END PGP SIGNATURE-----



-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

802.1q Monitoring Ron Shuck (Jun 05)
- Re: 802.1q Monitoring Bennett Todd (Jun 06)
  - Re: 802.1q Monitoring Chris Green (Jun 06)
    - Re: 802.1q Monitoring Jeff Nathan (Jun 06)
- Re: 802.1q Monitoring Jeff Nathan (Jun 06)
- <Possible follow-ups>
- RE: 802.1q Monitoring Ron Shuck (Jun 06)
  - Re: 802.1q Monitoring Chris Green (Jun 06)