tcpdump mailing list archives
Re: [unisog] what changes or filter required accommodate VLAN coding for Shadow, Snort/Acid and especially IPaudit
From: Chris Green <cmg () sourcefire com>
Date: Mon, 21 Apr 2003 10:35:16 -0400
"Harris, Michael C." <HarrisMC () health missouri edu> writes:
What changes have others made to accommodate VLANs using tcpdump based products like Shadow and snort with ACID
I'd call Ipaudit and Snort "libpcap" based products ( see below ). I don't know much about SHADOW so I won't answer anything on it.
Am I missing something in having to deal with the two extra columns of 802.1q VLAN data? The raw tcpdump files are created just fine but won't the two extra characters in non raw (analyzed text output) at the beginning of the line of text throw off the analysis?> I assume others have either figured out how to either strip those two columns out for each sensor feed or edit the fetchem scripts so its analysis deals with the extra columns. I am curious what have others done particularly to the stitistics.pl script that produces the daily stats I see very little even in the tcpdump_workers list about dealing with VLANS and almost nothing in the SHADOW, Snort w/ACID and IPaudit documentation. Am I missing something obvious here?
Snort handles 802.1q by just stripping off the VLAN headers and analyzing everything as if it were on the same segment. Most of the time, this is acceptable. If you want to only anaylze packets on a particular vlan, you add vlan <vlan_id> to your BPF filter. IPaudit doesn't seem to handle VLans currently but I'm sure Jon Rifkin would accept patches to help add it. -- Chris Green <cmg () sourcefire com> I've had a perfectly wonderful evening. But this wasn't it. -- Groucho Marx - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Current thread:
- [unisog] what changes or filter required accommodate VLAN coding for Shadow, Snort/Acid and especially IPaudit Harris, Michael C. (Apr 18)
- Re: [unisog] what changes or filter required accommodate VLAN coding for Shadow, Snort/Acid and especially IPaudit Chris Green (Apr 21)