Hello,
I need to process an .erf file with contains mpls packets encapsulated in 802.1 q vlan tunnels. How can I process it with BRO? Do I have to redefine any variable?
Thanks in advance!
Veronica Estrada
Nakao’s Laboratory
The University of Tokyo
Bro doesn't support MPLS packets currently. Patches are welcome however. 
I can give you a hand stripping all of the additional headers off-list if you want. It's a little beyond the scope of this list.
.Seth
I have one for MPLS actually, it's attached. However, it is old and
hasn't seen much testing, which is why it never made it into the
distribution. It may also not apply cleanly anymore.
The patch adds a new option "mpls_link" that needs to be redefed to
true.
Robin
bro-mpls.diff (3.78 KB)
Thanks everyone for the fast answer.
I patched bro with the file that Robin sent me but I cannot make it works. I have two questions.
Frame
-Ethernet
–802.1Q Virtual LAN
—Internet Protocol
----TCP
----UDP
----Data
—MPLS
----TCP
----UDP
----Data
----ICMP
–Short Frame
, line 1 (have_mpls): error, “redef” used but not previously defined
Where should I redefine this variable or should I load any special filter?
Veronica Estrada
Nakao’s Laboratory
The University of Tokyo
I don't believe that patch is going to work for you because you're MPLS headers are within VLAN headers. Did you try my suggestion? As long as all of your packets have the same headers on them it should work. Looking at your protocol hierarchy though, it looks like not all of your packets have the mpls header. Is that right?
Like I offered before though, I can get you setup with something that will strip all of the vlan and mpls headers where appropriate if you need it.
.Seth