NSM and VLANs

From NSMWiki
Jump to: navigation, search

It seems to be a common problem that many pcap-aware analysis utilities fail when the packets have 802.1Q VLAN tags attached to them. Usually, this is because the original author never thought of this possibility, and when they checked to see if the Ethernet frame contained a valid IP packet, they forgot to check to see if there was a VLAN tag present, and thus all their field offsets were thrown off by 4 bytes (the length of the VLAN tag prepended to the frame).

Fortunately, rudimentary VLAN support is often not very difficult to add. The following is a list of applications which are known to either support VLANs natively, or for which a VLAN patch is available.

  • Snort: Supports VLANs natively
  • Wireshark: Supports VLANs natively
  • SANCP: Supports VLANs natively
  • Tcpdump: Supports VLANs natively
  • PADS: v1.2 requires a patch (available here)
  • Tcpflow: v0.21 requires a patch (available here)
  • Tcpxtract: v1.0.1 requires a patch (available here)
  • p0f: Supports VLANs with the -v option. You will need to edit lib/SguildTranscript.tcl to pass this option to p0f. N.B.: This will affect ALL sensors, so use at your own risk if your sguild receives input from sensors with and without VLAN tags.

Finally, if you don't feel like dealing with all this VLAN stuff in software, it's possible that you could configure your OS to take care of this for you.