[Snort-users] snort and ATM

Dragos Ruiu dr at ...381...
Wed Mar 2 13:13:55 EST 2005

On March 2, 2005 02:18 am, Teva AVRIL wrote:
> So my question is simple : how could i manage to run snort to capture
> trafic on a atm interface if snort doesn't handle atm? Is it because
> decapsulation on RedHat9 is made so that snort is able to understand ip
> packets or something like this? Or maybe the latest libpcap  could handle
> atm now?

Probably something did the reassembly for you.
If you need to do it, and you are using AAL5, it's very straightforward
if your interface gives you raw cells...
(And I assume it _is_ AAL5 as AAL3/4 pretty much went the way of
the dinosaurs...)

AAL5 segmentation is simple... tack a header and trailer (checksum)
on the IP packet, slice it up into 48 byte ATM payloads, add 5 byte
ATM header onto each and get 53 byte ATM cells.

A bit in the header will indicate the last cell of a packet.

Lather Rinse Repeat.

Its pretty easy to reassemble those back into IP packets.
The code is left as an excercise for the reader :-).

Though likely the reassembly is done in hardware and 
you are getting AAL5 packets and you may just have to strip
additional header and trailer off the IP packets to process 
them in snort.

World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada	May 4-6 2005  http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

More information about the Snort-users mailing list