[Snort-users] 802.1q Monitoring

Jeff Nathan jeff at ...950...
Fri Jun 6 15:44:03 EDT 2003

Hash: SHA1

I replied to Chris Green before looking at DecodeVlan.

Snort is already capable of decoding 802.1Q.  A trunk port simply carries 
802.1Q tags when sending frames out an interface.  Thus, it should work as 
is for your purposes.

- -Jeff

- --On Thursday, June 5, 2003 15:46 -0500 Ron Shuck <rshuck at ...6736...> 

> Hi,
> Has anyone implemented or tried to monitor a 802.1q (trunked) connection
> with Snort? I saw that DLink has a 802.1q compatible card, and that it
> appears to be supported under Linux. I have several remote locations
> that do not have a huge amount of traffic, but there are several VLANS.
> It would be much easier and get the most coverage to port mirror/tap the
> WAN connection, but it is trunked.
> Any help would be greatly appreciated.
> Thanks,
> Ron Shuck, CISSP, GCIA, CCSE - Managing Consultant
> Buchanan Associates - A Technology Company in the People Business
> -------------------------------------------------------
> This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
> thread debugger on the planet. Designed with thread debugging features
> you've never dreamed of, try TotalView 6 free at www.etnus.com.
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

- --
http://cerberus.sourcefire.com/~jeff       (gpg key available)
Great spirits have always encountered violent opposition from mediocre
- - Albert Einstein
Version: GnuPG v1.2.1 (Darwin)


More information about the Snort-users mailing list