[Snort-users] Snort not seeing IP-traffic, just Ether/Other

Tony Robinson deusexmachina667 at ...11827...
Thu Apr 18 17:23:00 EDT 2013


Try this test first:

run tcpdump -i eth0 [other tcpdump options you use] vlan

use the option "vlan" as your ONLY filter option, or "vlan and host
x.x.x.x" where host x.x.x.x is the ip address of a vlan'd host you want to
grab traffic from. Tell us if you see traffic on the interface. If this
works, you can give snort a BPF filter to sniff vlan and non-vlan tagged
traffic.





On Thu, Apr 18, 2013 at 4:42 PM, Eoin Miller <
eoin.miller at ...14586...> wrote:

> On 4/18/2013 20:36, Kim.Halavakoski at ...16243... wrote:
> > Also, any VLAN action going on? Yes, thre should be and are VLANs on the
> > span port(Windows 7 sees them...) but for some reason the VLAN traffic
> > is not seen by this box with the current configuration and OS..
>
> Yea, you need to create your VLAN interface on the box and sniff on that
> in order to see the packets. Just how the OS is.
>
> http://unixfoo.blogspot.com/2007/12/linux-vlan-configuration.html
>
> -- Eoin
>
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
when does reality end? when does fantasy begin?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130418/d4c87b3f/attachment.html>


More information about the Snort-users mailing list