[Snort-devel] vlan support

Frank Knobbe FKnobbe at ...339...
Mon Apr 9 17:31:12 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: Fyodor [mailto:fygrave at ...1...]
> Sent: Monday, April 09, 2001 7:26 AM
> 
> On Mon, Apr 09, 2001 at 02:14:45PM +0200, Scott A. McIntyre wrote:
> > Hi,
> > 
> > I've been trying to incorporate VLAN support into snort; 
> I'm making slow
> > progress but have managed to get it to work fine on verbose 
> output, that
> > is, if I tell decode.c that for frame type 802.1q it should add
> > four bytes to the packet size, but strip off those four for the 
> capture, it
> > seems to return valid data.
> 
> Urrr.. :) kinda messy.. do you have any tcpdump format files 
> for testing, I may
> help you 'reversing' the thing :). 


Can't DecodeEthPkt just check the Ethernet header, and if it doesn't
find 0x0800 in the right spot, let it memcpy the packet 4 bytes to
the left, and check for 0x0800 again? If there would be an indicator
in the first 4 bytes that would specify it as a VLAN tag, that might
even be cleaner...

Once the packet has been memcpy'd for bytes to the left, essentially
the first four bytes clipped off, then all the other routines should
be able to handle the packet, shouldn't they?

Just a thought...

Frank

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOtIqIJytSsEygtEFEQJezgCdE4qFH0vt1nBcalHcSeUhEN5AmnkAnjx8
L9I7zNDWkCPEOFeOBrZ6nb5h
=80lT
-----END PGP SIGNATURE-----




More information about the Snort-devel mailing list