[Snort-users] 802.1q Monitoring
jeff at ...950...
Fri Jun 6 15:35:04 EDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
- --On Friday, June 6, 2003 10:43 -0400 Chris Green <cmg at ...1935...>
> Extend DecodeVlan() to be able to decode what it finds in decode.c and
> submit a patch to snort-devel and traffic captures of your trunked vlan
> Even if you don't have C skills, please send (atleast me) a packet
> caputure of your trunked vlan.
> Even if 1 snort config won't work for your vlans, you can use bpf to
> filter by vlan id before it goes to snort and then run a separate
> snort on each vlan.
> Chris Green <cmg at ...1935...>
> "Not everyone holds these truths to be self-evident, so we've worked
> up a proof of them as Appendix A." -- Paul Prescod
Trunking just tells the switch to preserve the 802.1Q tag when sending a
frame out an interface.
802.1Q specifies the following format for Ethernet:
dst_addr, src_addr, TPID, TCI, Ethertype
The 802.1Q specific "additions" are the following:
2 byte TPID
2 byte TCI
2 byte Ethertype (802.3)
2-30 byte E-RIF (Unused in Ethernet)
TPID: Tag Protocol identifier (indicating 802.1Q is used, value 0x8100)
TCI: Tag Control Information. Consists of three fields: user_priority,
* user_priority: [three most significant bits from the high order
specifying priority levels 0 - 7.
* CFI (Canonical Format Indicator): [next bit following
1 indicates the presence of E-RIF data while 0 indicates no E-RIF
* VLAN ID: twelve bit VLAN identifier.
Ethertype: standard 802.3
E-RIF : in Ethernet this value is 0 (reset) indicating no E-RIF data is
in the header following the Ethertype.
That should get you going, Chris.
http://cerberus.sourcefire.com/~jeff (gpg key available)
Great spirits have always encountered violent opposition from mediocre
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (Darwin)
-----END PGP SIGNATURE-----
More information about the Snort-users