ERSPAN & Missing Logs

Kyle_Reidell · June 27, 2017, 8:30pm

Hello all,

I am attempting to monitor a Cisco CSR1000v within AWS via ERSPAN. Through my research, I am running Bro version 2.5-147 on an AWS Linux AMI and have uploaded a pcap containing ERSPAN data which I have been able to read; however, the only log files that are being created from Bro/live traffic are the following:

capture_loss
stats
stderr
stdout
weird
communication

As a test, I have used tcpdump to capture packets on the configured interface (mon0) which sees plenty of traffic, however, I still cannot see the corresponding logs from Bro.

Any help would be greatly appreciated!!

Thank you,
Planearium

seth · June 30, 2017, 2:51pm

If you could send me a few packets of traffic captured with tcpdump I
could take a look for you (I wrote the RSPAN support). Sometimes it's
hard to verify that parsers will always work with all versions of
protocols and all usage of a protocol.

.Seth

Topic		Replies	Views
Bro Digest, Vol 109, Issue 14 Zeek	2	116	May 6, 2022
can't get the http analyzer to print anything Zeek	3	84	May 6, 2022
PPPoE Capture IP Layer Being Stripped Zeek	2	89	May 6, 2022
Bro and APCON Zeek	9	162	May 6, 2022
TCP reassembly question [Port Traffic Mirroring] Zeek	1	238	May 6, 2022

ERSPAN & Missing Logs

Related topics