[Oisf-devel] RFC: vlan_id in flow tracking
Victor Julien
victor at inliniac.net
Thu Apr 4 11:10:36 UTC 2013
(RFC: request for comments :))
Suricata currently parses VLAN headers but doesn't really do anything
with them. This is obviously wrong in some cases, like in flow tracking.
There can be several vlan's on a network, where in each we see the same
5-tuple. These shouldn't be mixed, but right now they can be.
This patch tries to deal with it:
https://github.com/inliniac/suricata/commit/d755fdfdc4576057712ccdb70f1e3a17bfad901c
There are a few open issues:
- what to do in case of multiple layers of VLAN? We should probably be
taking the tunnel approach, where we create a fake packet
- there are reports of broken switches (Chris) that only append vlan
tags to one direction of the flows. To handle this correctly the vlan id
tracking would have to be optional
Comments?
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list