Is there a trick/option to make bro work with 802.1Q-tagged VLANs?
Your diagnosis is correct, the problem is that libpcap doesn't set up
the offset correctly.
Vinod Yegneswaran has contributed a patch to support tunnel offsets. I'm
aiming to include it in the next public release. If you want it early,
let me know and I'll send it to you (not yet integrated), though with the
caveat that it was actually developed for IP-in-UDP tunneling as opposed
to VLAN tunneling, though in principle it should work for either.
Vern