VLAN tag problem with OpenBSD tcpdump
Looks like the tcpdump/libpcap provided with OpenBSD has a problem with VLAN tagged traffic. The fix is to download both from tcpdump and compile fresh.
Note: usually you WANT to use the OpenBSD provided packages and ports, because someone more knowledgible than you tweaked them to work. Not in this case, though.
http://www.vorant.com/nsmwiki/index.php?title=OS_Anomalies
From #snort-gui:
(05:58:12) jontow: uh.. excellent? openbsd 4.0's tcpdump doesn't support vlan tags?
(05:58:33) jontow: ^:root@volvere:/nsm/manual-pcap# tcpdump -n -v -i xl1 vlan
(05:58:33) jontow: tcpdump: WARNING: xl1: no IPv4 address assigned
(05:58:33) jontow: tcpdump: syntax error
(06:15:07) jontow: yeah, what the shit.. if i compile it from source, too, from tcpdump.org the vlan filter still doesn't work
(06:15:08) jontow: grrr
(06:15:49) jontow: this sensor is useless without it
(06:16:03) jontow: stupid span port on these foundry switches send all packets still-tagged
(06:16:30) jontow: maybe they compiled pcap without vlan support.. :/
(06:34:47) rwatson: jontow: "doesn't work" in what sense? there are a lot of bugs in various IP stacks relating to mixing and matching things like promiscuous mode, hardware assisted vlan tagging, etc.
(06:34:56) rwatson: jontow: if you can't get it to work still, try disabling hardware vlan assist
(06:35:33) rwatson: jontow: this won't help with rule syntax errors, of course. :-)
(06:42:44) helevius: jontow: try naming a vlan to watch, like 'vlan 10'
(06:42:56) helevius: That might make a difference, might not
(06:45:08) helevius: It probably won't
(06:47:05) jontow: it literally is just the syntax
(06:47:18) jontow: it works fine, i've compiled libpcap/tcpdump from the tcpdump.org site and its fine now
(06:47:54) jontow: the bundled one just doesn't include support for vlan tags at all
(06:48:32) jontow: really odd that they didn't do that though.. oversight maybe?
(06:48:49) drape: i know on fbsd some interfaces don't support vlan tags :/. found that out the hard way.
(06:49:00) jontow: thats not a problem -- these do, and its confirmed on freebsd ;)
(06:49:38) jontow: richard; specifying a tag doesn't change the syntax error problem btw :/
(06:49:51) jontow: this means though; that i need to be recompiling snort
(06:49:58) jontow: since i'm sure its linked into the native pcap
Looks like the tcpdump/libpcap provided with OpenBSD has a problem with VLAN tagged traffic. The fix is to download both from tcpdump and compile fresh.
Note: usually you WANT to use the OpenBSD provided packages and ports, because someone more knowledgible than you tweaked them to work. Not in this case, though.
http://www.vorant.com/nsmwiki/index.php?title=OS_Anomalies
From #snort-gui:
(05:58:12) jontow: uh.. excellent? openbsd 4.0's tcpdump doesn't support vlan tags?
(05:58:33) jontow: ^:root@volvere:/nsm/manual-pcap# tcpdump -n -v -i xl1 vlan
(05:58:33) jontow: tcpdump: WARNING: xl1: no IPv4 address assigned
(05:58:33) jontow: tcpdump: syntax error
(06:15:07) jontow: yeah, what the shit.. if i compile it from source, too, from tcpdump.org the vlan filter still doesn't work
(06:15:08) jontow: grrr
(06:15:49) jontow: this sensor is useless without it
(06:16:03) jontow: stupid span port on these foundry switches send all packets still-tagged
(06:16:30) jontow: maybe they compiled pcap without vlan support.. :/
(06:34:47) rwatson: jontow: "doesn't work" in what sense? there are a lot of bugs in various IP stacks relating to mixing and matching things like promiscuous mode, hardware assisted vlan tagging, etc.
(06:34:56) rwatson: jontow: if you can't get it to work still, try disabling hardware vlan assist
(06:35:33) rwatson: jontow: this won't help with rule syntax errors, of course. :-)
(06:42:44) helevius: jontow: try naming a vlan to watch, like 'vlan 10'
(06:42:56) helevius: That might make a difference, might not
(06:45:08) helevius: It probably won't
(06:47:05) jontow: it literally is just the syntax
(06:47:18) jontow: it works fine, i've compiled libpcap/tcpdump from the tcpdump.org site and its fine now
(06:47:54) jontow: the bundled one just doesn't include support for vlan tags at all
(06:48:32) jontow: really odd that they didn't do that though.. oversight maybe?
(06:48:49) drape: i know on fbsd some interfaces don't support vlan tags :/. found that out the hard way.
(06:49:00) jontow: thats not a problem -- these do, and its confirmed on freebsd ;)
(06:49:38) jontow: richard; specifying a tag doesn't change the syntax error problem btw :/
(06:49:51) jontow: this means though; that i need to be recompiling snort
(06:49:58) jontow: since i'm sure its linked into the native pcap
posted by JimmytheGeek at 10:27 AM
0 Comments:
Post a Comment
<< Home