[Snort-devel] VLAN tagging
Keith R Kilby
krkilby at ...1875...
Thu Mar 27 02:51:07 EST 2003
Sorry for late reply working funny hours at the moment.
Yes will do when I get the network back for testing.
The other point is that eth1:1 is a physical interface whereas eth1.1
should be the VLAN.
What I want to do is run several instances of SNORT for different
VLAN's. Different alert and loging files.
Chris Green wrote:
>Keith R Kilby <krkilby at ...1875...> writes:
>>I have configured the machine to use the in built 3C905 NIC or the
>>Dell Cdock II docking stations NIC again a 3C905.
>>The Redhat kernel has been configured to support 802.1Q VLAN tagging
>>and works when tested with telnet, HTTP etc. However when I try to
>>set up Snort to use the VLAN tag eg eth0.1 or eth1.1 it falls over
>>with an error saying it does not recognise the device. I have read
>>the archives which suggest that snort does support single depth
>It supposts single depth vlanning to the extent that it will take off
>the vlan tags on the raw eth0 interface.
>Are you sure you shouldn't be using the eth1:1 interface? Not sure
>how linux handles that. If you can,
>do tcpdump -i eth1:1 -s 65535 -w vlan-eth1:1.cap for a few packets
>mail that to me so I could test with it if tcpdump supports it.
More information about the Snort-devel