Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 10 Oct 2003 11:42:28 +0100
From:      "Andrew White" <andywhite@ntlworld.ie>
To:        "'John'" <strgout@unixjunkie.com>, <freebsd-questions@freebsd.org>
Subject:   RE: snort + trunk + cat6500 + vacls
Message-ID:  <00c901c38f1b$33a4e780$0201a8c0@deskgx>
In-Reply-To: <20031009233817.GA22899@mail.unixjunkie.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Read
http://www.cisco.com/en/US/customer/products/hw/switches/ps700/products_
tech_note09186a008015c612.shtml

Basically you hook up your snort interface to the switch, then tell the
switch to span out the relevant vlans to that port, as far as I'm aware,
these packets will be missing the tag header when they come out the span
port, so you will see them as if they were all on your local wire..

Look at snort support groups for more details.

.Andrew

-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org] On Behalf Of John
Sent: 10 October 2003 00:38
To: freebsd-questions@freebsd.org
Subject: snort + trunk + cat6500 + vacls

i'm testing out alternatives for using span ports or inline taps and
came
across a doc on using vlan acls to capture data and send them to a port
for
sniffing. From what i under stand the sniffer port needs to be a trunk
port.
What i don't really understand is how freebsd is going to work with the
trunk.
Do i need a vlan interface for every vlan in the trunk, or do i only
need one
vlan interface to match the native vlan of the trunk?
Also what should i be sniffing? the vlan interface(s) or the real
interface?

btw i'm no switch engineer so go easy on me :)

oh, and one more thing.
debug.bpf_bufsize: 4096 <- shold this be increased or will snort overide
this 
number?
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00c901c38f1b$33a4e780$0201a8c0>