On Sun, 2002-11-17 at 12:22, Scott A. McIntyre wrote:
> Hi,
>
> How might one configure firestorm so that it will pay attention to specific
> interfaces on a multiple interface system, but not "any" interface? I have
> two three that I'd like to monitor, but not all.
There are a few choices:
1. Run multiple instances of firestorm, one on each interface.
2a. If using Linux - hack the linux capdev to open multiple fd's
and poll on all of them. Packet capture will be O(n) for number of
interfaces.
2b. Hack libpcap to do the same thing...
3. Write a preprocessor integrated with Linux SLL decoder that can take
options specifying what interfaces you want to see traffic for and
drop all other frames.
I'm not sure which I find the most asthetically pleasing. Certainly
number 1 can be done now and is cross-platform ;)
2a/2b seem likely future solutions. I'd be happy to hack 2a, but 2b
would be a job for the libpcap people (unless it can already do this and
I'm just being silly).
> Secondly, what is the correct way to handle traffic which contains vlan
> tags? I don't necessarily want them for processing, but firestorm doesn¹t
> seem to acknowledge traffic on a link that is vlan tagged (extra bytes it's
> not expecting in the ethernet frame, presumably)...
Hmmm, firestorm should fully support the vlan tags since 0.4.3 ie: it
should see IP traffic inside it and alert on relevent traffic. If this
is not the case could you send me some tcpdump capture files (off-list)
and I can check it out...
HTH.
--
// Gianni Tedesco (gianni at ecsc dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
Attachment:
signature.asc
Description: This is a digitally signed message part