[Snort-devel] VLAN tagging

Keith R Kilby krkilby at ...1875...
Thu Mar 27 02:51:07 EST 2003


Sorry for late reply working funny hours at the moment.

Yes will do when I get the network back for testing.

The other point is that eth1:1 is a physical interface whereas eth1.1 
should be the VLAN.

What I want to do is run several instances of SNORT for different 
VLAN's. Different alert and loging files.


Chris Green wrote:

>Keith R Kilby <krkilby at ...1875...> writes:
>>I have configured the machine to use the in built 3C905 NIC or the
>>Dell Cdock II docking stations NIC again a 3C905.
>>The Redhat kernel has been configured to support 802.1Q VLAN tagging
>>and works when tested with telnet, HTTP etc. However when I try to
>>set up Snort to use the VLAN tag eg eth0.1 or eth1.1 it falls over
>>with an error saying it does not recognise the device.  I have read
>>the archives which suggest that snort does support single depth
>It supposts single depth vlanning to the extent that it will take off
>the vlan tags on the raw eth0 interface.
>Are you sure you shouldn't be using the eth1:1 interface?  Not sure
>how linux handles that.  If you can,
>do tcpdump -i eth1:1 -s 65535 -w vlan-eth1:1.cap for a few packets
>mail that to me so I could test with it if tcpdump supports it. 

More information about the Snort-devel mailing list