[unisog] what changes or filter required accommodate VLAN coding for Shadow, Snor/Acid and especially IPaudit

Jon Rifkin jon at bluet.ucc.uconn.edu
Fri Apr 18 17:37:13 GMT 2003


Mike -

I'm not sure exactly what information you're looking for, but maybe
my short rambling with regard to IPaudit and tcpdump will help.

> I see very little even in the tcpdump_workers list about dealing with
> VLANS and almost nothing in the SHADOW, Snort w/ACID and IPaudit
> documentation.

I think this can be characterized as a libpcap issue.  What follows
is based on my past experiments with libpcap and tcpdump.  I too
have not found any thorough documentation on this issue.

By the way, the latest version of ipaudit (packed with ipaudit-web, but
not yet with the plain vanilla ipaudit) understands vlan tagging.  It
can read vlan traffic.

> Subject: [unisog] what changes or filter required accommodate VLAN

When using an pcap filter with Ipaudit and tcpdump you need to use the
'vlan' expression.  For example, if you are sniffing vlan traffic
*without* a pcap filter, like the following command,

   > tcpdump -n -c 5

you'll get something like this (I've broken the long output lines into
several shorted indented lines)

   13:22:56.251316 802.1Q vlan#604 P0 137.99.158.65.5190 > 149.152.150.161.1799: 
      . 2505624341:2505625721(1380) ack 4275341656 win 15536 (DF)
   13:22:56.251318 802.1Q vlan#604 P0 137.99.143.213.2822 > 200.158.58.170.4236: 
       . 1197657223:1197658663(1440) ack 953773727 win 17027 
   	  <nop,nop,timestamp 9691868 135253> (DF)
   13:22:56.251319 802.1Q vlan#604 P0 216.136.175.48.http > 137.99.1.12.63059: 
        . 1698373132:1698374592(1460) ack 4178900178 win 65535 (DF)
   13:22:56.251320 802.1Q vlan#604 P0 64.12.25.223.5190 > 137.99.139.100.4352: 
        P 698203275:698203462(187) ack 2997038338 win 16384 (DF)
   13:22:56.251320 802.1Q vlan#604 P0 68.81.134.135.8302 > 137.99.179.155.6346: 
       . ack 4148541677 win 1460 (DF)

Note the 'vlan#604' label.

If however you want to use pcap filters, you need to include the 'vlan'
expression.  For example, the following will not work because 'vlan'
isn't included

   > tcpdump -n -c 5 port 80

but including the 'vlan' expression WILL work.

   > tcpdump -n -c 5 vlan and port 80

Strangely enough, swtich the order of 'vlan' and 'port 80' in the
expression will break it, you'll get the following

   > tcpdump -n -c 5 port 80 and vlan
	tcpdump: WARNING: eth2: no IPv4 address assigned
	tcpdump: expression rejects all packets

The same roughly applies to 'ipaudit' and its companion 'ipstrings'
*when* you use pcap filters.

I hope that helps.

- Jon
==============================================================================
# Jon Rifkin   # jon.rifkin at uconn.edu
# Information Technology Services  # University of Connecticut




> Harris, Michael C." <HarrisMC at health.missouri.edu>
> 
> 04/18/2003 12:35 PM
> 
> 
> 
> To: <unisog at sans.org>, <tcpdump-workers at tcpdump.org>
> cc:
> Subject: [unisog] what changes or filter required accommodate VLAN
> coding for Shadow, Snort/Acid and especially IPaudit
> 
> 
> What changes have others made to accommodate VLANs using tcpdump based
> products like Shadow and snort with ACID
> 
> Am I missing something in having to deal with the two extra columns of
> 802.1q VLAN data? The raw tcpdump files are created just fine but won't
> the two extra characters in non raw (analyzed text output) at the
> beginning of the line of text throw off the analysis?
> 
> I assume others have either figured out how to either strip those two
> columns out for each sensor feed or edit the fetchem scripts so its
> analysis deals with the extra columns. I am curious what have others
> done particularly to the stitistics.pl script that produces the daily
> stats
> 
> I see very little even in the tcpdump_workers list about dealing with
> VLANS and almost nothing in the SHADOW, Snort w/ACID and IPaudit
> documentation. Am I missing something obvious here?
> 
> Mike




More information about the unisog mailing list