erspan decapsulation

Hello, we have problems with ERSPAN package. Is there anyway BRO could understand them ?

Could you privately provide us a small packet capture of ERSPAN packets?

  .Seth

Thanks for reply,
I just figure out that I need to skip some bytes of package header. In my current case I need to skip 22 bytes. So I edited ini-bare.bro file and changed encap_hdr_size = 0 line to encap_hdr_size = 22 . BRO can now understand traffic. Do not know if I made a correct fix. Let me know if it is not a right way to do .

It should be ok to chop off the first bytes.
ERSPAN is basically cisco rspan with a GRE encapsulation.
I have been using GULP (https://staff.washington.edu/corey/gulp/) and piping from gulp to bro -r - but your method is much cleaner way of doing it.
Beware of not MTU issues though, since packets might get chopped off at the end if they do not fit after the GRE encapsulation

//K

However, to me it looks like 50bytes instead of 22 bytes? Like in this: https://staff.washington.edu/corey/gulp/conv.c
But i guess bro deencapsulates the gre tunnel for you?

//K

Yep. Bro supports GRE.

  .Seth

Ideally we’d just support ERSPAN natively, but there’s nothing wrong with your solution.

  .Seth