Snort mailing list archives

Re: Snort not seeing IP-traffic, just Ether/Other

From: "Kim.Halavakoski () Crosskey fi" <Kim.Halavakoski () Crosskey fi>
Date: Thu, 18 Apr 2013 21:31:13 +0000

Hi all,
tried the vlan filter earlier, didn't make any difference.
Also, I had not created vlan tagged interfaces since I am receiving
traffic from multiple VLANs and didn't think I needed to confgure each
VLAN interface in order to get the traffic snorted...

But then afer Eoins VLAN interface comments and some googling and
testing setting upp VLAN tagged interfaces I realized that the 8021q
module was not loaded in the kernel.  I tried loading that and created
some VLAN interface for one of the monitored VLANS and voilá, I am now
getting traffic. I did not need to create the VLAN interfaces and have
snort listen to those, just loading the 8021q module solved the issue
and I am now getting the traffic with snort and tcpdump.

So the solution in the end was:

# modprobe 8021q

Thanks guys!

-Kim


On 04/19/2013 12:23 AM, Tony Robinson wrote:

Try this test first:

run tcpdump -i eth0 [other tcpdump options you use] vlan

use the option "vlan" as your ONLY filter option, or "vlan and host
x.x.x.x" where host x.x.x.x is the ip address of a vlan'd host you want
to grab traffic from. Tell us if you see traffic on the interface. If
this works, you can give snort a BPF filter to sniff vlan and non-vlan
tagged traffic.





On Thu, Apr 18, 2013 at 4:42 PM, Eoin Miller
<eoin.miller () trojanedbinaries com
<mailto:eoin.miller () trojanedbinaries com>> wrote:

    On 4/18/2013 20:36, Kim.Halavakoski () Crosskey fi wrote:
    > Also, any VLAN action going on? Yes, thre should be and are VLANs
    on the
    > span port(Windows 7 sees them...) but for some reason the VLAN traffic
    > is not seen by this box with the current configuration and OS..

    Yea, you need to create your VLAN interface on the box and sniff on that
    in order to see the packets. Just how the OS is.

    http://unixfoo.blogspot.com/2007/12/linux-vlan-configuration.html

    -- Eoin

    ------------------------------------------------------------------------------
    Precog is a next-generation analytics platform capable of advanced
    analytics on semi-structured data. The platform includes APIs for
    building
    apps and a phenomenal toolset for data science. Developers can use
    our toolset for easy data analysis & visualization. Get a free account!
    http://www2.precog.com/precogplatform/slashdotnewsletter
    _______________________________________________
    Snort-users mailing list
    Snort-users () lists sourceforge net
    <mailto:Snort-users () lists sourceforge net>
    Go to this URL to change user options or unsubscribe:
    https://lists.sourceforge.net/lists/listinfo/snort-users
    Snort-users list archive:
    http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

    Please visit http://blog.snort.org to stay current on all the latest
    Snort news!




-- 
when does reality end? when does fantasy begin?


------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: Snort Start up error, (continued)
- - - Re: Snort Start up error Said Nurhussein (Apr 18)
    - Re: Snort Start up error waldo kitty (Apr 18)
    - Re: Snort Start up error Said Nurhussein (Apr 18)
    - Re: Snort Start up error waldo kitty (Apr 19)
- Snort not seeing IP-traffic, just Ether/Other Kim.Halavakoski () Crosskey fi (Apr 18)
  - Re: Snort not seeing IP-traffic, just Ether/Other Glenn Geller (Apr 18)
  - Re: Snort not seeing IP-traffic, just Ether/Other James Lay (Apr 18)
    - Re: Snort not seeing IP-traffic, just Ether/Other Kim.Halavakoski () Crosskey fi (Apr 18)
    - Re: Snort not seeing IP-traffic, just Ether/Other Eoin Miller (Apr 18)
    - Re: Snort not seeing IP-traffic, just Ether/Other Tony Robinson (Apr 18)
    - Re: Snort not seeing IP-traffic, just Ether/Other Kim.Halavakoski () Crosskey fi (Apr 18)
  - Re: Snort not seeing IP-traffic, just Ether/Other Michal Purzynski (Apr 18)
- Re: Snort Start up error amani (Apr 19)
  - Message not available
    - Re: Snort Start up error Said Nurhussein (Apr 19)
- Snort Start up error Said Nurhussein (Apr 19)