Re: [Snort-users] VLAN Tagged Traffic - Some being missed
This is a discussion on Re: [Snort-users] VLAN Tagged Traffic - Some being missed within the Snort forums, part of the System Security and Security Related category; One more thing I forgot to add.... if you are using a C6500, then VACL capture ports can be configured ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-05-2004
|
|||
|
|||
Re: [Snort-users] VLAN Tagged Traffic - Some being missed
One more thing I forgot to add.... if you are using a C6500, then VACL capture ports can be configured on any port in any VLAN. The capture port only receives permitted traffic. No traffic can enter the switch through a capture port. With Cisco IOS Software Release 12.1(11b)E or earlier, only the Gigabit Ethernet monitor port on the IDS module can be configured as a capture port. Regards, Mark "Aaron" <snort@microchp.org> Sent by: To: snort-users@lists.sourceforge.net snort-users-admin@lists.sour cc: ceforge.net Subject: [Snort-users] VLAN Tagged Traffic - Some being missed 04/04/2004 08:30 PM Is there a trick to capturing traffic on Cisco capture ports? As Cisco is dropping "mirror" ports and going to capture ports, I now see vlan tagged traffic. The network folks will not let me use mirror ports any more since Cisco is removing that in future releases of their IOS, from what I hear. The problem is, that in that scenerio, I/Snort only see some of the traffic. Tcpdump also drops many of the packets. 38 packets captured 1414426 packets received by filter 1408138 packets dropped by kernel That is using libpcap 0.8.3 and tcpdump 3.8.3. Using older versions of libpcap and tcpdump, I see the vlan tags in the output. The latest version does not show them. Neither seems to capture all. This is on a circuit pushing about 500 megs of traffic. Even on the sensors that only have less than 100 megs of traffic I get the same results and about the same loss. The snort sensors are dual P4 xeon 2.8Ghz boxes with 1GB ram and ultra3 scsi disks. I am using barnyard 0.2.0-rc2, not that it makes a diff. Info only. Does it matter that I am getting traffic from multiple vlans? Can Snort handle that? Regards, Aaron ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
