Hi,
I have few network traces to analyze [for traffic classification] which
have vlan headers for certain subnets, and I'm not able to analyze them
using bro. I can use "@load vlan" filter but then I'm only able to read
vlan traffic, and makes Bro skip on normal [non-vlan] traffic.
In my setup, some subnets in my traces are on vlan and further, these
subnets have only inbound traffic on vlan while outbound traffic seems
to be direct [no vlan header in outbound packets]. Due to above
mentioned issue I have to pass each trace twice using different filters
and I'm getting two uni-directional flows for each bidirectional flow.
I searched Bro mailing list and from the previous posts, I feel that Bro
does not support reading vlan and non-vlan traffic concurrently. Is this
assumption correct or there is some way/hack to actually analyze them at
the same time?
Also since I'm using Bro for offline traces, does anyone know a way to
somehow modify the trace file to *fix* vlan traffic and change it to the
normal traffic.
... I feel that Bro
does not support reading vlan and non-vlan traffic concurrently. Is this
assumption correct
Yes.
Also since I'm using Bro for offline traces, does anyone know a way to
somehow modify the trace file to *fix* vlan traffic and change it to the
normal traffic.
There's a handy utility "vstrip", written by Eli Dart, that will take a
pcap file and remove VLAN headers in it. I've put a copy at:
(This was written before Vern's response but I forgot to send it.
The tool he mentions is probably the better one.)
I searched Bro mailing list and from the previous posts, I feel that Bro
does not support reading vlan and non-vlan traffic concurrently. Is this
assumption correct or there is some way/hack to actually analyze them at
Yes, that's right, there's no support for this yet. It shouldn't be
too hard too add though. I have an experimental patch for adding
dynamic MPLS decapsulation and VLAN could probably be done in a
similar way. Let me know if you're interested in that patch.
Also since I'm using Bro for offline traces, does anyone know a way to
somehow modify the trace file to *fix* vlan traffic and change it to the
normal traffic.
For the record: tcprewrite <http://tcpreplay.synfin.net/wiki/tcprewrite>
also offers an option to strip vlan tags and can do a lot more. I
haven't used it yet myself, though.
I would definitely be interested in the patch. It'd save me [and I hope
several others] the time/space of stripping current and future traces
off the vlan tags.
For the moment, tcprewrite [pointed by Bernhard Ager] did the job
perfectly. I found that vstrip would mess up with the timestamps after
stripping but this might be a one off incident.
