[Snort-users] 802.1q Monitoring

Jeff Nathan jeff at ...950...
Fri Jun 6 15:35:04 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Friday, June 6, 2003 10:43 -0400 Chris Green <cmg at ...1935...> 
wrote:

>
> Extend DecodeVlan() to be able to decode what it finds in decode.c and
> submit a patch to snort-devel and traffic captures of your trunked vlan
> configuration.
>
> Even if you don't have C skills, please send (atleast me) a packet
> caputure of your trunked vlan.
>
> Even if 1 snort config won't work for your vlans, you can use bpf to
> filter by vlan id before it goes to snort and then run a separate
> snort on each vlan.
> --
> Chris Green <cmg at ...1935...>
>  "Not everyone holds these truths to be self-evident, so we've worked
>                   up a proof of them as Appendix A." --  Paul Prescod

Trunking just tells the switch to preserve the 802.1Q tag when sending a 
frame out an interface.

802.1Q specifies the following format for Ethernet:

dst_addr, src_addr, TPID, TCI, Ethertype

The 802.1Q specific "additions" are the following:
2 byte TPID
2 byte TCI
2 byte Ethertype (802.3)
2-30 byte E-RIF (Unused in Ethernet)

TPID: Tag Protocol identifier (indicating 802.1Q is used, value 0x8100)

TCI:  Tag Control Information.  Consists of three fields: user_priority, 
CFI,
      VLAN-ID.

      * user_priority: [three most significant bits from the high order 
byte]
        specifying priority levels 0 - 7.

      * CFI (Canonical Format Indicator): [next bit following 
user_priority]
        1 indicates the presence of E-RIF data while 0 indicates no E-RIF
        data.

      * VLAN ID: twelve bit VLAN identifier.

Ethertype: standard 802.3

E-RIF : in Ethernet this value is 0 (reset) indicating no E-RIF data is 
present
        in the header following the Ethertype.

That should get you going, Chris.

- -Jeff

- --
http://cerberus.sourcefire.com/~jeff       (gpg key available)
Great spirits have always encountered violent opposition from mediocre
minds.
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)

iD8DBQE+4Rb1Eqr8+Gkj0/0RAoVQAJ9Gadaf7zn+URj4zdolE88yBVF1nACgsA+j
tcFnl8XuNb3XS2D7p/mo54o=
=Sy/8
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list