Um... nic support is irrelevant. For ntop at least.
libpcap operates at the Ethernet frame level. A frame contains a TCP/IP
packet, which may or may not be VLAN - there are different protocol
settings. But a VLAN packet is just a wrapped TCP/IP packet:
etherframe(tcp/ip) or etherframe(vlan(tcp/ip))
Internally, we define the constants (if they're not already defined) in
globals-defines.h:
#if !defined(HAVE_ETHERTYPE_H)
#ifndef ETHERTYPE_IP
#define ETHERTYPE_IP 0x0800
#endif
...
#endif
...
#ifndef ETHERTYPE_802_1Q
#define ETHERTYPE_802_1Q 0x8100
#endif
...
Then in pbuf.c, we check for ETHERTYPE and if it's the VLAN, we just slide
along the packet the length of the header:
if(eth_type == ETHERTYPE_802_1Q) /* VLAN */ {
Ether80211q qType;
memcpy(&qType, p+sizeof(struct ether_header), sizeof(Ether80211q));
vlanId = ntohs(qType.vlanId) & 0xFFF;
...
eth_type = ntohs(qType.protoType);
hlen += 4; /* Skip the 802.1q header */
if(myGlobals.device[deviceId].hasVLANs != TRUE) {
myGlobals.device[deviceId].hasVLANs = TRUE;
myGlobals.haveVLANs = TRUE;
...
}
} else if ...
>From then on, ntop doesn't treat vlans any different.
The only other place it matters is in the bpf filter. vlan is a tag,
telling the filter to assume a vlan frame.
Say you have a normal filter:
port ssh
That's is actually treated as:
ip and port ssh
where ip means to look for that ETHERTYPE_IP frame.
If there are VLAN packets there, libpcap/bpf will ignore them (the test ip
and port ssh is false!)
so you need to specify the filter
vlan and port ssh
Which trips special VLAN logic within the bpf filter, much like ntop has
special logic. If you want both and dont want to worry too much, the
safest filter is
port ssh or vlan and port ssh
()s are implied around the and, so this is really
(ip and port ssh) or (vlan and port ssh)
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Diego de Oliveira
Sent: Friday, August 05, 2005 9:48 AM
To: [email protected]
Subject: Re: [Ntop] VLANs and NTOP
Thanks Burton,
Really, You're be right. I´m going to find a NIC that support 802.1Q,
because today I don't have one.
best Regards
----- Original Message -----
From: "Burton Strauss" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, August 05, 2005 12:04 AM
Subject: RE: [Ntop] VLANs and NTOP
> Depends on your LAN setup. If ntop sees the tags (say it's tapping a
> trunk), then it reports them. If it doesn't see the VLAN tagged packets,
> it
> won't (can't) report them.
>
> -----Burton
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> Willy, Andrew
> Sent: Thursday, August 04, 2005 4:29 PM
> To: '[email protected]'
> Subject: RE: [Ntop] VLANs and NTOP
>
> VLAN tags are stripped before they're sent to the host aren't they?
>
> Andrew
>
> -----Original Message-----
> From: Diego de Oliveira [mailto:[EMAIL PROTECTED]
> Sent: Thursday, August 04, 2005 12:01 PM
> To: [email protected]
> Subject: [Ntop] VLANs and NTOP
>
>
> HI Folks !
> Does Anyone know , how can I configure the Ntop tool for shown me vlans
> tag?
> is it possible?
>
>
> Regards,
>
> _______________________________________________
> Ntop mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop
> NOTICE OF CONFIDENTIALITY-The information in this email, including
> attachments, may be confidential and/or privileged and may contain
> confidential health information. This email is intended to be reviewed
> only
> by the individual or organization named as addressee. If you have received
> this email in error please notify Scottsdale Medical Imaging, an affiliate
> of Southwest Diagnostic Imaging, LTD immediately - by return message to
> the
> sender or to [EMAIL PROTECTED] - and destroy all copies of this message
> and
> any attachments. Please note that any views or opinions presented in this
> email are solely those of the author and do not necessarily represent
> those
> of Scottsdale Medical Imaging. Confidential health information is
> protected
> by state and federal law, including, but not limited to, the Health
> Insurance Portability and Accountability Act of 1996 and related
> regulations.
> _______________________________________________
> Ntop mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
> _______________________________________________
> Ntop mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
> Esta mensagem foi verificada pelo E-mail Protegido Terra.
> Scan engine: McAfee VirusScan / Atualizado em 04/08/2005 / Versão:
> 4.4.00/4550
> Proteja o seu e-mail Terra: http://mail.terra.com.br/
>
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
