If you need to filter on a specific tag, I believe pcap.bro will need
some tweaking.
For a VLAN with tag XX, I think the following might work (in place of
loading vlan.bro):
redef restrict_filters += { ["vlan"] = "vlan XX" };
redef encap_hdr_size = 4;
or for a set of VLAN's with tags XX, YY and ZZ:
redef restrict_filters += { ["vlan"] = "vlan XX or vlan YY or vlan ZZ" };
redef encap_hdr_size = 4;
- Vern