[Snort-devel] [ snort-Bugs-547547 ] vlan decode fails

noreply at ...12... noreply at ...12...
Tue Apr 23 07:41:12 EDT 2002


Bugs item #547547, was opened at 2002-04-23 06:20
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=547547&group_id=3357

Category: None
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Nobody/Anonymous (nobody)
Assigned to: Nobody/Anonymous (nobody)
Summary: vlan decode fails

Initial Comment:
The vlan decoder wasn't reading the vlan tagged packets
coming off a span port on a bay switch. decode.c reads
the user priority (2 in this case) and if it isn't 0 it
goes looking for a LLC header after the vlan header. In
our case however there is no LLC header. The IP header
starts straight after the vlan header. I had a browse
of the IEEE 802.1Q standard but couldn't find a
reference to the user priority having anything to do
with whether an encapsulated LLC header is present or
not. Tcpdump does decode the packets correctly and has
a more length section of code to determine LLC stuff.
Perhaps something can be taken from there.

As a fix for us I just commented out the top of the
"if" statement to never look for an LLC header.

Oliver Friesen

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=103357&aid=547547&group_id=3357




More information about the Snort-devel mailing list