ERSPAN & Missing Logs

Kyle_Reidell · June 27, 2017, 8:30pm

Hello all,

I am attempting to monitor a Cisco CSR1000v within AWS via ERSPAN. Through my research, I am running Bro version 2.5-147 on an AWS Linux AMI and have uploaded a pcap containing ERSPAN data which I have been able to read; however, the only log files that are being created from Bro/live traffic are the following:

capture_loss
stats
stderr
stdout
weird
communication

As a test, I have used tcpdump to capture packets on the configured interface (mon0) which sees plenty of traffic, however, I still cannot see the corresponding logs from Bro.

Any help would be greatly appreciated!!

Thank you,
Planearium

Seth_Hall2 · June 30, 2017, 2:51pm

If you could send me a few packets of traffic captured with tcpdump I
could take a look for you (I wrote the RSPAN support). Sometimes it's
hard to verify that parsers will always work with all versions of
protocols and all usage of a protocol.

.Seth

Topic		Replies	Views
Bro Digest, Vol 109, Issue 14 Zeek	2	85	May 6, 2022
can't get the http analyzer to print anything Zeek	3	60	May 6, 2022
PPPoE Capture IP Layer Being Stripped Zeek	2	56	May 6, 2022
Bro decapsulating ERSPAN (GRE) Zeek	4	96	May 6, 2022
Bro and APCON Zeek	9	89	May 6, 2022

ERSPAN & Missing Logs

Related Topics