Snort mailing list archives
Re: 802.1q Monitoring
From: Jeff Nathan <jeff () snort org>
Date: Fri, 06 Jun 2003 15:25:48 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - --On Friday, June 6, 2003 10:43 -0400 Chris Green <cmg () sourcefire com> wrote:
Extend DecodeVlan() to be able to decode what it finds in decode.c and submit a patch to snort-devel and traffic captures of your trunked vlan configuration. Even if you don't have C skills, please send (atleast me) a packet caputure of your trunked vlan. Even if 1 snort config won't work for your vlans, you can use bpf to filter by vlan id before it goes to snort and then run a separate snort on each vlan. -- Chris Green <cmg () sourcefire com> "Not everyone holds these truths to be self-evident, so we've worked up a proof of them as Appendix A." -- Paul Prescod
Trunking just tells the switch to preserve the 802.1Q tag when sending a frame out an interface. 802.1Q specifies the following format for Ethernet: dst_addr, src_addr, TPID, TCI, Ethertype The 802.1Q specific "additions" are the following: 2 byte TPID 2 byte TCI 2 byte Ethertype (802.3) 2-30 byte E-RIF (Unused in Ethernet) TPID: Tag Protocol identifier (indicating 802.1Q is used, value 0x8100) TCI: Tag Control Information. Consists of three fields: user_priority, CFI, VLAN-ID. * user_priority: [three most significant bits from the high order byte] specifying priority levels 0 - 7. * CFI (Canonical Format Indicator): [next bit following user_priority] 1 indicates the presence of E-RIF data while 0 indicates no E-RIF data. * VLAN ID: twelve bit VLAN identifier. Ethertype: standard 802.3 E-RIF : in Ethernet this value is 0 (reset) indicating no E-RIF data is present in the header following the Ethertype. That should get you going, Chris. - -Jeff - -- http://cerberus.sourcefire.com/~jeff (gpg key available) Great spirits have always encountered violent opposition from mediocre minds. - - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (Darwin) iD8DBQE+4Rb1Eqr8+Gkj0/0RAoVQAJ9Gadaf7zn+URj4zdolE88yBVF1nACgsA+j tcFnl8XuNb3XS2D7p/mo54o= =Sy/8 -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 802.1q Monitoring Ron Shuck (Jun 05)
- Re: 802.1q Monitoring Bennett Todd (Jun 06)
- Re: 802.1q Monitoring Chris Green (Jun 06)
- Re: 802.1q Monitoring Jeff Nathan (Jun 06)
- Re: 802.1q Monitoring Chris Green (Jun 06)
- Re: 802.1q Monitoring Jeff Nathan (Jun 06)
- <Possible follow-ups>
- RE: 802.1q Monitoring Ron Shuck (Jun 06)
- Re: 802.1q Monitoring Chris Green (Jun 06)
- Re: 802.1q Monitoring Bennett Todd (Jun 06)