Hi,
Thanks for the quick replies!
Within vlan.bro, will I need to define the vlans and their tags?
I see:
redef restrict_filters += { ["vlan"] = "vlan" };
Do I list a vlan name within the ["vlan"] and some tag information within
the other "vlan"? Is the second part an actual tag or subnet/mask data?
Thanks again!
Jon Ruggieri
Have a look at pcap.bro, where restrict_filters is defined. The former
"vlan" is just a textual identifier, the second is the actual addition
to the pcap filtering expression that will narrow the filtering down
further -- it effectively comes down to filtering "vlan and (remaining
filter)".
What Adam and Scott meant was to just @load vlan.bro into your
configuration, not change anything inside vlan.bro.
If you need to filter on a specific tag, I believe pcap.bro will need
some tweaking. Let us know if that's the case (or everyone please do
correct me if I'm wrong).
Cheers,
Christian.