[Snort-users] VLAN Tagged Traffic - Some being missed

Aaron snort at ...10572...
Sun Apr 4 18:31:02 EDT 2004

Is there a trick to capturing traffic on Cisco capture ports?  

As Cisco is dropping "mirror" ports and going to capture ports, I now 
see vlan tagged traffic.  The network folks will not let me use mirror 
ports any more since Cisco is removing that in future releases of 
their IOS, from what I hear.

The problem is, that in that scenerio, I/Snort only see some of the 
traffic.  Tcpdump also drops many of the packets.

38 packets captured
1414426 packets received by filter
1408138 packets dropped by kernel

That is using libpcap 0.8.3 and tcpdump 3.8.3.  Using older versions 
of libpcap and tcpdump, I see the vlan tags in the output.  The latest 
version does not show them.  Neither seems to capture all.

This is on a circuit pushing about 500 megs of traffic.  Even on the 
sensors that only have less than 100 megs of traffic I get the same 
results and about the same loss.

The snort sensors are dual P4 xeon 2.8Ghz boxes with 1GB ram and 
ultra3 scsi disks.  I am using barnyard 0.2.0-rc2, not that it makes a 
diff. Info only.

Does it matter that I am getting traffic from multiple vlans?  Can 
Snort handle that?



