[Snort-devel] vlan support

Frank Knobbe FKnobbe at ...339...
Mon Apr 9 18:24:43 EDT 2001

Hash: SHA1

One of these days I learn to think before posting...

The packet header is just the pcap stuff, so the packet is there in
full. Which means the DecodeEthPkt would the right place, correct?
How about changing the default in the case branch so that when it
could not identify the EtherType, it clips the first four bytes off,
or whatever the overhead of the tag is, using memcpy and then let it
run through the case again. If it hits default again, it could count
the pc.other as usual. That way the packet would be cleaned and the
rest of snort be able to work with it.

If I'm way off, just tell me to shut up :)


> -----Original Message-----
> From: Frank Knobbe 
> Sent: Monday, April 09, 2001 4:43 PM
> >
> > Can't DecodeEthPkt just check the Ethernet header, and if it
> > doesn't find 0x0800 in the right spot, let it memcpy the packet 4
> > bytes to the left, and check for 0x0800 again? If there would be
> > an indicator in the first 4 bytes that would specify it as a VLAN
> > tag, that might even be cleaner...
> > 
> > Once the packet has been memcpy'd for bytes to the left,
> > essentially the first four bytes clipped off, then all the other
> > routines should be able to handle the packet, shouldn't they?

Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.


More information about the Snort-devel mailing list