From owner-freebsd-questions@FreeBSD.ORG Fri Oct 10 03:42:28 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2C3A16A4B3 for ; Fri, 10 Oct 2003 03:42:28 -0700 (PDT) Received: from mta02-svc.ntlworld.com (mta02-svc.ntlworld.com [62.253.162.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7DBD043F85 for ; Fri, 10 Oct 2003 03:42:27 -0700 (PDT) (envelope-from andywhite@ntlworld.ie) Received: from deskgx ([81.98.90.226]) by mta02-svc.ntlworld.com (InterMail vM.4.01.03.37 201-229-121-137-20020806) with ESMTP id <20031010104226.GORU16630.mta02-svc.ntlworld.com@deskgx>; Fri, 10 Oct 2003 11:42:26 +0100 From: "Andrew White" To: "'John'" , Date: Fri, 10 Oct 2003 11:42:28 +0100 Message-ID: <00c901c38f1b$33a4e780$0201a8c0@deskgx> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal In-Reply-To: <20031009233817.GA22899@mail.unixjunkie.com> Subject: RE: snort + trunk + cat6500 + vacls X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Oct 2003 10:42:28 -0000 Read http://www.cisco.com/en/US/customer/products/hw/switches/ps700/products_ tech_note09186a008015c612.shtml Basically you hook up your snort interface to the switch, then tell the switch to span out the relevant vlans to that port, as far as I'm aware, these packets will be missing the tag header when they come out the span port, so you will see them as if they were all on your local wire.. Look at snort support groups for more details. .Andrew -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of John Sent: 10 October 2003 00:38 To: freebsd-questions@freebsd.org Subject: snort + trunk + cat6500 + vacls i'm testing out alternatives for using span ports or inline taps and came across a doc on using vlan acls to capture data and send them to a port for sniffing. From what i under stand the sniffer port needs to be a trunk port. What i don't really understand is how freebsd is going to work with the trunk. Do i need a vlan interface for every vlan in the trunk, or do i only need one vlan interface to match the native vlan of the trunk? Also what should i be sniffing? the vlan interface(s) or the real interface? btw i'm no switch engineer so go easy on me :) oh, and one more thing. debug.bpf_bufsize: 4096 <- shold this be increased or will snort overide this number? _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"