Snort mailing list archives
Re: VLAN Tagged Traffic - Some being missed
From: Mark.Schutzmann () Omron com
Date: Sun, 4 Apr 2004 22:30:00 -0500
Aaron,
What model switch is it (you're not trying to snort a router are you?)? I
assume that you're running something like a high-end C6500? What IOS? Can
you give more information, such as: What NIC card is in your Snort box, how
it's connected to the switch, what Linux distro are you using? With Cisco,
it's all basically the same concept, no tricks and multiple VLANs can be
monitored when configured properly.
Regards,
Mark
"Aaron" <snort () microchp org>
Sent by: To: snort-users () lists sourceforge net
snort-users-admin () lists sour cc:
ceforge.net Subject: [Snort-users] VLAN Tagged Traffic - Some being
missed
04/04/2004 08:30 PM
Is there a trick to capturing traffic on Cisco capture ports?
As Cisco is dropping "mirror" ports and going to capture ports, I now
see vlan tagged traffic. The network folks will not let me use mirror
ports any more since Cisco is removing that in future releases of
their IOS, from what I hear.
The problem is, that in that scenerio, I/Snort only see some of the
traffic. Tcpdump also drops many of the packets.
38 packets captured
1414426 packets received by filter
1408138 packets dropped by kernel
That is using libpcap 0.8.3 and tcpdump 3.8.3. Using older versions
of libpcap and tcpdump, I see the vlan tags in the output. The latest
version does not show them. Neither seems to capture all.
This is on a circuit pushing about 500 megs of traffic. Even on the
sensors that only have less than 100 megs of traffic I get the same
results and about the same loss.
The snort sensors are dual P4 xeon 2.8Ghz boxes with 1GB ram and
ultra3 scsi disks. I am using barnyard 0.2.0-rc2, not that it makes a
diff. Info only.
Does it matter that I am getting traffic from multiple vlans? Can
Snort handle that?
Regards,
Aaron
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VLAN Tagged Traffic - Some being missed Aaron (Apr 04)
- <Possible follow-ups>
- Re: VLAN Tagged Traffic - Some being missed Mark . Schutzmann (Apr 05)
- Re: VLAN Tagged Traffic - Some being missed Mark . Schutzmann (Apr 05)