I’ve got a vmware instance of Ubuntu running Bro 2.6-beta2. I want bro to monitor the eth0 interface that is directly receiving ERSPAN (gre tunneled) data from a Cisco switch. I’ve tried a few different scenarios. I thought Bro could by default recognize and decapsulate the real traffic from the GRE tunnel (according to the bro notes it should be able to do this) but so far when bro runs it just sees the gre traffic in it’s weird.log. I’ve also tried creating another tunnel interface tun0 set up as GRE on the Ubuntu instance and have the traffic forwarded from eth0 to tun0 and have linux decapsulate it. That is not working either.
Has anyone gotten something similar to work reading cisco ERSPAN traffic into bro?
It currently only handles a few GRE protocol types, and doesn't seem
the ERSPAN ones are among them.
To clarify that further: I totally missed that the changelog does say
ERSPAN support was implemented, but I was just looking at the actual
code, which does not seem to handle ERSPAN Type II or III (protocol
types 0x88BE, 0x22EB). The associated commit seems to instead handle
Transparent Ethernet Bridging (protocol type 0x6558). Not sure if I'm
missing something. Or if you can give a pcap to test against, that
could help to verify what's going and also serve as test case for
fixing anything that's broken/unimplemented in Bro.
For what it’s worth I tried to stripping 50 bytes off the header in the init-bar.bro file in the encap_hdr_size=50 line. That seems to be the magic number with this unusual erspan gre header size. After doing that, bro is recognizing and splitting all the logs out properly.