|
|
|
|
Snort Forums Archive
Archive Home » Snort Newbies » How does snort handle vlan tagged packets
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
How does snort handle vlan tagged packets
Posted by kaito on March 16, 2005 03:01:11
i will use snort in vlan-trunked network. As validating snort's handling in vlan-trunked network, snort can detected events:) There is a question on this validation. What decodes vlan tagged packets? Linux kernel, or Snort?
Snort verion is 2.0.1, linux kernel is 2.6.x, destiribution is FodoraCore1.
When validation, snort luanches the following command:
# /usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -D -i bond0
Reference:
http://www.snort.org/external/?url=http://cvs.snort.org/viewcvs.cgi/snort/ChangeLog?rev=HEAD&content-%20type=text/vnd.viewcvs-markup
http://www.securityfocus.com/infocus/1640
Best regards.
|
|
Posted by roesch on March 19, 2005 17:27:04
Snort has an 802.1q decoder in it that should be decoding the vlan tags. Since you're sniffing on bond0 I'm not sure if it's going to be getting the raw packets or if the bonding modifies the packet headers going thru the kernel at all. It probably doesn't so I'd just assume that Snort's decoder is handling it.
BTW, version 2.0.1 is ancient, you should really upgrade to 2.3.2.
-Marty
|
|
|
|
|
|
