[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: RE: [security-onion] Vlan Tags in the pcaps?
From: "Ben Wright" <benw () coriumintl ! com>
Date: 2014-02-27 16:09:15
Message-ID: 1B9A43508C273B4EA9B7AD90914681A508439C8E () cmgitsvr04 ! coriumintl ! com
[Download RAW message or body]
This is a multi-part MIME message.
That's the plan, but recently on only one of my vlan's they haven't been
getting the appropriate address after tagging correctly. We are trying
to replace our core routing switch and am baffled with this behavior.
From: security-onion@googlegroups.com
[mailto:security-onion@googlegroups.com] On Behalf Of Justin Knox
Sent: Thursday, February 27, 2014 11:06 AM
To: security-onion@googlegroups.com
Subject: Re: [security-onion] Vlan Tags in the pcaps?
do your phones boot up untagged first, look for a dhcp scope option that
tells them what vlan they're supposed to be on, then reboot to start
tagging their traffic correctly?
On Thu, Feb 27, 2014 at 10:39 AM, coriumintl <benw@coriumintl.com>
wrote:
it feels simpler to setup specific mirror ports, rather than try and
filter out the noise.
I'm trying to figure out why Voice Vlan doesn't get the correct address
from DHCP when the device is on a specific vlan, but works properly on
the other vlans. my phones always 8021q tag correclty but will get the
wrong IP on a specific vlan.
On Thursday, February 27, 2014 10:28:40 AM UTC-5, Doug Burks wrote:
> I haven't done any VLAN tests myself, but if the issue is strictly
>
> with netsniff-ng not writing the VLAN tags to disk, perhaps you could
>
> try using tcpdump/daemonlogger (already included in Security Onion).
>
>
>
> On Thu, Feb 27, 2014 at 10:25 AM, coriumintl <@coriumintl.com> wrote:
>
> > So, I'm better off downloading a NST ISO and capturing my traffic on
both ends then.
>
> >
>
> > On Thursday, February 27, 2014 10:14:18 AM UTC-5, Justin Knox wrote:
>
> > > Hi all,
>
> > > I should clarify. My final statement in that thread could be
misleading. tcpdump will still see the vlan tags on wide open capture.
netsniff-ng's output to disk has those tags stripped.
>
> > >
>
> > >
>
> > >
>
> > > --Justin
>
> > >
>
> > >
>
> > >
>
> > > On Thu, Feb 27, 2014 at 8:43 AM, coriumintl <be...@coriumintl.com>
wrote:
>
> > >
>
> > > Sort of, what I'm looking is to see the 802.1q tagging. Was hoping,
since I use SO, that I could just use it's Pcaps to try and troubleshoot
an issue i'm having with my Shoretel phones on a specific vlan but I
can't see the tags in the caps.
>
> > >
>
> > >
>
> > >
>
> > >
>
> > > I thought I had this working at one time.
>
> > >
>
> > >
>
> > >
>
> > >
>
> > > On Wednesday, February 26, 2014 7:25:08 AM UTC-5, Doug Burks wrote:
>
> > >
>
> > > > Hi benw,
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > > Can you be more specific, please? Are you wanting to see VLAN
tags in
>
> > >
>
> > > >
>
> > >
>
> > > > your netsniff-ng pcaps, but they're not appearing there? Have
you
>
> > >
>
> > > >
>
> > >
>
> > > > seen the following thread?
>
> > >
>
> > > >
>
> > >
>
> > > >
https://groups.google.com/d/topic/security-onion/DLvzwRYVdxg/discussion
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > >
>
> > >
>
> > > > On Tue, Feb 25, 2014 at 3:25 PM, coriumintl wrote:
>
> > >
>
> > > >
>
> > >
>
> > > > > I was wondering what needs to be enabled. my sensors are using
Intel server multiport NICs, at the moment i can't get model numbers.
>
> > >
>
> > > >
>
> > >
>
> > > > >
>
> > >
>
> > > >
>
> > >
>
> > > > > --
>
> > >
>
> > > >
>
> > >
>
> > > > > You received this message because you are subscribed to the
Google Groups "security-onion" group.
>
> > >
>
> > > >
>
> > >
>
> > > > > To unsubscribe from this group and stop receiving emails from
it, send an email to security-onio...@googlegroups.com.
>
> > >
>
> > > >
>
> > >
>
> > > > > To post to this group, send email to
securit...@googlegroups.com.
>
> > >
>
> > > >
>
> > >
>
> > > > > Visit this group at
http://groups.google.com/group/security-onion.
>
> > >
>
> > > >
>
> > >
>
> > > > > For more options, visit
https://groups.google.com/groups/opt_out.
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > >
>
> > >
>
> > > > --
>
> > >
>
> > > >
>
> > >
>
> > > > Doug Burks
>
> > >
>
> > >
>
> > >
>
> > > --
>
> > >
>
> > > You received this message because you are subscribed to the Google
Groups "security-onion" group.
>
> > >
>
> > > To unsubscribe from this group and stop receiving emails from it,
send an email to security-onio...@googlegroups.com.
>
> > >
>
> > > To post to this group, send email to securit...@googlegroups.com.
>
> > >
>
> > > Visit this group at http://groups.google.com/group/security-onion.
>
> > >
>
> > > For more options, visit https://groups.google.com/groups/opt_out.
>
> >
>
> > --
>
> > You received this message because you are subscribed to the Google
Groups "security-onion" group.
>
> > To unsubscribe from this group and stop receiving emails from it,
send an email to security-onion+unsubscribe@googlegroups.com
<mailto:security-onion%2Bunsubscribe@googlegroups.com> .
>
> > To post to this group, send email to
security-onion@googlegroups.com.
>
> > Visit this group at http://groups.google.com/group/security-onion.
>
> > For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
>
>
>
>
> --
>
> Doug Burks
--
You received this message because you are subscribed to the Google
Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to security-onion+unsubscribe@googlegroups.com
<mailto:security-onion%2Bunsubscribe@googlegroups.com> .
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to a topic in the
Google Groups "security-onion" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/security-onion/Gh21XB0CYgo/unsubscribe
.
To unsubscribe from this group and all its topics, send an email to
security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.
CONFIDENTIALITY NOTICE: This e-mail transmission, and any attachments, is intended \
only for the use of the individual
or entity named above and may contain information that is confidential, privileged \
and exempt from disclosure under
applicable law. If you are not the intended recipient, you are hereby notified that \
any disclosure, copying, distribution
or use of any of the information contained in this transmission is strictly \
PROHIBITED.
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/groups/opt_out.
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" \
CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 \
(filtered medium)"><style><!-- /* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div \
class=WordSection1><p class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>That’s \
the plan, but recently on only one of my vlan’s they haven’t been getting \
the appropriate address after tagging correctly. We are trying to replace our core \
routing switch and am baffled with this behavior.<o:p></o:p></span></p><p \
class=MsoNormal><span \
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p \
class=MsoNormal><b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> \
security-onion@googlegroups.com [mailto:security-onion@googlegroups.com] <b>On Behalf \
Of </b>Justin Knox<br><b>Sent:</b> Thursday, February 27, 2014 11:06 AM<br><b>To:</b> \
security-onion@googlegroups.com<br><b>Subject:</b> Re: [security-onion] Vlan Tags in \
the pcaps?<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><p \
class=MsoNormal>do your phones boot up untagged first, look for a dhcp scope option \
that tells them what vlan they're supposed to be on, then reboot to start tagging \
their traffic correctly?<o:p></o:p></p><div><p \
class=MsoNormal><o:p> </o:p></p></div><div><p \
class=MsoNormal><o:p> </o:p></p></div></div><div><p class=MsoNormal \
style='margin-bottom:12.0pt'><o:p> </o:p></p><div><p class=MsoNormal>On Thu, Feb \
27, 2014 at 10:39 AM, coriumintl <<a href="mailto:benw@coriumintl.com" \
target="_blank">benw@coriumintl.com</a>> wrote:<o:p></o:p></p><p \
class=MsoNormal>it feels simpler to setup specific mirror ports, rather than try and \
filter out the noise.<br><br>I'm trying to figure out why Voice Vlan doesn't get the \
correct address from DHCP when the device is on a specific vlan, but works properly \
on the other vlans. my phones always 8021q tag correclty but will get the wrong IP on \
a specific vlan.<o:p></o:p></p><div><p class=MsoNormal><br>On Thursday, February 27, \
2014 10:28:40 AM UTC-5, Doug Burks wrote:<br>> I haven't done any VLAN tests \
myself, but if the issue is strictly<br>><br>> with netsniff-ng not writing the \
VLAN tags to disk, perhaps you could<br>><br>> try using tcpdump/daemonlogger \
(already included in Security \
Onion).<br>><br>><br>><o:p></o:p></p></div><div><div><p class=MsoNormal>> \
On Thu, Feb 27, 2014 at 10:25 AM, coriumintl <@<a href="http://coriumintl.com" \
target="_blank">coriumintl.com</a>> wrote:<br>><br>> > So, I'm better off \
downloading a NST ISO and capturing my traffic on both ends then.<br>><br>> \
><br>><br>> > On Thursday, February 27, 2014 10:14:18 AM UTC-5, Justin \
Knox wrote:<br>><br>> >> Hi all,<br>><br>> >> I should \
clarify. My final statement in that thread could be misleading. tcpdump will still \
see the vlan tags on wide open capture. netsniff-ng's output to disk has those tags \
stripped.<br>><br>> >><br>><br>> >><br>><br>> \
>><br>><br>> >> --Justin<br>><br>> >><br>><br>> \
>><br>><br>> >><br>><br>> >> On Thu, Feb 27, 2014 at \
8:43 AM, coriumintl <<a \
href="mailto:be...@coriumintl.com">be...@coriumintl.com</a>> \
wrote:<br>><br>> >><br>><br>> >> Sort of, what I'm looking is \
to see the 802.1q tagging. Was hoping, since I use SO, that I could just use it's \
Pcaps to try and troubleshoot an issue i'm having with my Shoretel phones on a \
specific vlan but I can't see the tags in the caps.<br>><br>> \
>><br>><br>> >><br>><br>> >><br>><br>> \
>><br>><br>> >> I thought I had this working at one \
time.<br>><br>> >><br>><br>> >><br>><br>> \
>><br>><br>> >><br>><br>> >> On Wednesday, February 26, \
2014 7:25:08 AM UTC-5, Doug Burks wrote:<br>><br>> >><br>><br>> \
>> > Hi benw,<br>><br>> >><br>><br>> >> \
><br>><br>> >><br>><br>> >> ><br>><br>> \
>><br>><br>> >> ><br>><br>> >><br>><br>> \
>> > Can you be more specific, please? Are you wanting to see VLAN \
tags in<br>><br>> >><br>><br>> >> ><br>><br>> \
>><br>><br>> >> > your netsniff-ng pcaps, but they're not \
appearing there? Have you<br>><br>> >><br>><br>> >> \
><br>><br>> >><br>><br>> >> > seen the following \
thread?<br>><br>> >><br>><br>> >> ><br>><br>> \
>><br>><br>> >> > <a \
href="https://groups.google.com/d/topic/security-onion/DLvzwRYVdxg/discussion" \
target="_blank">https://groups.google.com/d/topic/security-onion/DLvzwRYVdxg/discussion</a><br>><br>> \
>><br>><br>> >> ><br>><br>> >><br>><br>> \
>> ><br>><br>> >><br>><br>> >> ><br>><br>> \
>><br>><br>> >><br>><br>> >><br>><br>> >> \
> On Tue, Feb 25, 2014 at 3:25 PM, coriumintl wrote:<br>><br>> \
>><br>><br>> >> ><br>><br>> >><br>><br>> \
>> > > I was wondering what needs to be enabled. my sensors are using \
Intel server multiport NICs, at the moment i can't get model numbers.<br>><br>> \
>><br>><br>> >> ><br>><br>> >><br>><br>> \
>> > ><br>><br>> >><br>><br>> >> \
><br>><br>> >><br>><br>> >> > > --<br>><br>> \
>><br>><br>> >> ><br>><br>> >><br>><br>> \
>> > > You received this message because you are subscribed to the Google \
Groups "security-onion" group.<br>><br>> >><br>><br>> \
>> ><br>><br>> >><br>><br>> >> > > To \
unsubscribe from this group and stop receiving emails from it, send an email to <a \
href="mailto:security-onio...@googlegroups.com">security-onio...@googlegroups.com</a>.<br>><br>> \
>><br>><br>> >> ><br>><br>> >><br>><br>> \
>> > > To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com">securit...@googlegroups.com</a>.<br>><br>> \
>><br>><br>> >> ><br>><br>> >><br>><br>> \
>> > > Visit this group at <a \
href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br>><br>> \
>><br>><br>> >> ><br>><br>> >><br>><br>> \
>> > > For more options, visit <a \
href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br>><br>> \
>><br>><br>> >> ><br>><br>> >><br>><br>> \
>> ><br>><br>> >><br>><br>> >> ><br>><br>> \
>><br>><br>> >> ><br>><br>> >><br>><br>> \
>> ><br>><br>> >><br>><br>> >> ><br>><br>> \
>><br>><br>> >> ><br>><br>> >><br>><br>> \
>> > --<br>><br>> >><br>><br>> >> \
><br>><br>> >><br>><br>> >> > Doug \
Burks<br>><br>> >><br>><br>> >><br>><br>> \
>><br>><br>> >> --<br>><br>> >><br>><br>> \
>> You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br>><br>> >><br>><br>> >> \
To unsubscribe from this group and stop receiving emails from it, send an email to <a \
href="mailto:security-onio...@googlegroups.com">security-onio...@googlegroups.com</a>.<br>><br>> \
>><br>><br>> >> To post to this group, send email to <a \
href="mailto:securit...@googlegroups.com">securit...@googlegroups.com</a>.<br>><br>> \
>><br>><br>> >> Visit this group at <a \
href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br>><br>> \
>><br>><br>> >> For more options, visit <a \
href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br>><br>> \
><br>><br>> > --<br>><br>> > You received this message because \
you are subscribed to the Google Groups "security-onion" \
group.<br>><br>> > To unsubscribe from this group and stop receiving emails \
from it, send an email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br>><br>> \
> To post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br>><br>> \
> Visit this group at <a href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br>><br>> \
> For more options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<br>><br>><br>><br>><br>><br>><br>><br>> \
--<br>><br>> Doug Burks<br><br>--<br>You received this message because you are \
subscribed to the Google Groups "security-onion" group.<br>To unsubscribe \
from this group and stop receiving emails from it, send an email to <a \
href="mailto:security-onion%2Bunsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br>To \
post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br>Visit \
this group at <a href="http://groups.google.com/group/security-onion" \
target="_blank">http://groups.google.com/group/security-onion</a>.<br>For more \
options, visit <a href="https://groups.google.com/groups/opt_out" \
target="_blank">https://groups.google.com/groups/opt_out</a>.<o:p></o:p></p></div></div></div><p \
class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <br>You received \
this message because you are subscribed to a topic in the Google Groups \
"security-onion" group.<br>To unsubscribe from this topic, visit <a \
href="https://groups.google.com/d/topic/security-onion/Gh21XB0CYgo/unsubscribe">https://groups.google.com/d/topic/security-onion/Gh21XB0CYgo/unsubscribe</a>.<br>To \
unsubscribe from this group and all its topics, send an email to <a \
href="mailto:security-onion+unsubscribe@googlegroups.com">security-onion+unsubscribe@googlegroups.com</a>.<br>To \
post to this group, send email to <a \
href="mailto:security-onion@googlegroups.com">security-onion@googlegroups.com</a>.<br>Visit \
this group at <a href="http://groups.google.com/group/security-onion">http://groups.google.com/group/security-onion</a>.<br>For \
more options, visit <a \
href="https://groups.google.com/groups/opt_out">https://groups.google.com/groups/opt_out</a>.<o:p></o:p></p></div></body></html>
<pre>
CONFIDENTIALITY NOTICE: This e-mail transmission, and any attachments, is intended \
only for the use of the individual
or entity named above and may contain information that is confidential, privileged \
and exempt from disclosure under
applicable law. If you are not the intended recipient, you are hereby notified that \
any disclosure, copying, distribution
or use of any of the information contained in this transmission is strictly \
PROHIBITED.</pre>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups \
"security-onion" group.<br /> To unsubscribe from this group and stop \
receiving emails from it, send an email to \
security-onion+unsubscribe@googlegroups.com.<br /> To post to this group, send email \
to security-onion@googlegroups.com.<br /> Visit this group at <a \
href="http://groups.google.com/group/security-onion">http://groups.google.com/group/security-onion</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/groups/opt_out">https://groups.google.com/groups/opt_out</a>.<br \
/>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic