Re: VLAN tagging question

[Ryan Russell <ryan () securityfocus com>]

On Mon, 3 Dec 2001, Wild, Andrew wrote:

> Can I use a tap to monitor an Ethernet trunk (full duplex connection with
> every frame containing 802.1q vlan tags) and have SNORT understand the
> frames?  How do you configure the interface to recognize and strip off the
> vlan tags?

That would be the OS or libpcap's problem, I imagine.  Worse, you might
have to make sure you have a NIC that can do VLANs, because they tagged
frames aren't legal standard Ethernet frames.  Some NICs might just drop
them.  There are 802.1q drivers for many OSes and NICs.  Which are you
using?  It would probably be possible to hack up the drivers to deliver
the frames without the VLAN tag, where source is available.

> I expect to have the interface configured without an IP address
> running in promiscuous mode capturing all frames.  Is this OS dependent, or
> does the app need to be aware of the vlan tags?

If you can deliver the frames with the tags still on, the then app
(libpcap or Snort, depending) will have to understand/ignore them.  If you
can deliver the frames without the tag, the apps don't have to change.  I
imagine the latter would be the way to go.

                                        Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users