[Snort-users] Snort not seeing IP-traffic, just Ether/Other

Kim.Halavakoski at ...16243... Kim.Halavakoski at ...16243...
Thu Apr 18 17:31:13 EDT 2013


Hi all,
tried the vlan filter earlier, didn't make any difference.
Also, I had not created vlan tagged interfaces since I am receiving
traffic from multiple VLANs and didn't think I needed to confgure each
VLAN interface in order to get the traffic snorted...

But then afer Eoins VLAN interface comments and some googling and
testing setting upp VLAN tagged interfaces I realized that the 8021q
module was not loaded in the kernel.  I tried loading that and created
some VLAN interface for one of the monitored VLANS and voilá, I am now
getting traffic. I did not need to create the VLAN interfaces and have
snort listen to those, just loading the 8021q module solved the issue
and I am now getting the traffic with snort and tcpdump.

So the solution in the end was:

# modprobe 8021q

Thanks guys!

-Kim


On 04/19/2013 12:23 AM, Tony Robinson wrote:
> Try this test first:
> 
> run tcpdump -i eth0 [other tcpdump options you use] vlan
> 
> use the option "vlan" as your ONLY filter option, or "vlan and host
> x.x.x.x" where host x.x.x.x is the ip address of a vlan'd host you want
> to grab traffic from. Tell us if you see traffic on the interface. If
> this works, you can give snort a BPF filter to sniff vlan and non-vlan
> tagged traffic.
> 
> 
> 
> 
> 
> On Thu, Apr 18, 2013 at 4:42 PM, Eoin Miller
> <eoin.miller at ...14586...
> <mailto:eoin.miller at ...14586...>> wrote:
> 
>     On 4/18/2013 20:36, Kim.Halavakoski at ...16243... wrote:
>     > Also, any VLAN action going on? Yes, thre should be and are VLANs
>     on the
>     > span port(Windows 7 sees them...) but for some reason the VLAN traffic
>     > is not seen by this box with the current configuration and OS..
> 
>     Yea, you need to create your VLAN interface on the box and sniff on that
>     in order to see the packets. Just how the OS is.
> 
>     http://unixfoo.blogspot.com/2007/12/linux-vlan-configuration.html
> 
>     -- Eoin
> 
>     ------------------------------------------------------------------------------
>     Precog is a next-generation analytics platform capable of advanced
>     analytics on semi-structured data. The platform includes APIs for
>     building
>     apps and a phenomenal toolset for data science. Developers can use
>     our toolset for easy data analysis & visualization. Get a free account!
>     http://www2.precog.com/precogplatform/slashdotnewsletter
>     _______________________________________________
>     Snort-users mailing list
>     Snort-users at lists.sourceforge.net
>     <mailto:Snort-users at lists.sourceforge.net>
>     Go to this URL to change user options or unsubscribe:
>     https://lists.sourceforge.net/lists/listinfo/snort-users
>     Snort-users list archive:
>     http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
>     Please visit http://blog.snort.org to stay current on all the latest
>     Snort news!
> 
> 
> 
> 
> -- 
> when does reality end? when does fantasy begin?
> 
> 
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 



More information about the Snort-users mailing list