[unisog] what changes or filter required accommodate VLAN coding for Shadow, Snort/Acid and especially IPaudit

["Harris, Michael C." <HarrisMC () health missouri edu>]

What changes have others made to accommodate VLANs using tcpdump based products like Shadow and snort with ACID

Am I missing something in having to deal with the two extra columns of 802.1q VLAN data?  The raw tcpdump files are 
created just fine but won't the two extra characters in non raw (analyzed text output) at the beginning of the line of 
text throw off the analysis? 

I assume others have either figured out how to either strip those two columns out for each sensor feed or edit the 
fetchem scripts so its analysis deals with the extra columns. I am curious what have others done particularly to the 
stitistics.pl script that produces the daily stats

I see very little even in the tcpdump_workers list about dealing with VLANS and almost nothing in the SHADOW, Snort 
w/ACID and IPaudit documentation.  Am I missing something obvious here?

Mike


-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe