[Snort-devel] VLAN tagging

Chris Green cmg at ...402...
Wed Mar 26 05:56:26 EST 2003

Keith R Kilby <krkilby at ...1875...> writes:

> I have configured the machine to use the in built 3C905 NIC or the
> Dell Cdock II docking stations NIC again a 3C905.
> The Redhat kernel has been configured to support 802.1Q VLAN tagging
> and works when tested with telnet, HTTP etc. However when I try to
> set up Snort to use the VLAN tag eg eth0.1 or eth1.1 it falls over
> with an error saying it does not recognise the device.  I have read
> the archives which suggest that snort does support single depth
> vlanning.

It supposts single depth vlanning to the extent that it will take off
the vlan tags on the raw eth0 interface.

Are you sure you shouldn't be using the eth1:1 interface?  Not sure
how linux handles that.  If you can,

do tcpdump -i eth1:1 -s 65535 -w vlan-eth1:1.cap for a few packets
mail that to me so I could test with it if tcpdump supports it. 
Chris Green <cmg at ...402...>
Laugh and the world laughs with you, snore and you sleep alone.

More information about the Snort-devel mailing list