Hi,
I'm curious if anyone has a patch which allows bro to essentially
ignore the 802.1Q header if present. Alternatively could someone point
me to where in the code I should look so that I can modify the code
myself?
Thanks in advance!
-Bryce Boe
Add the "vlan" keyword to the beginning of your filter so that BPF passes the packets on to Bro and then load the "vlan" script.
There is a set of changes in the pipe now that will make this a little more straightforward (and do the same thing for MPLS), but what's there now should work fine for you if you are just working with VLAN tagged packets.
.Seth
Here is a little patch (to bro1.5.2) I made to get both vlan traffic and regular ethernet traffic at the same time.
It could prove useful to you
Message du 19/01/11 02:24
De : "Seth Hall"
A : "Bryce Boe"
Copie à : bro@bro-ids.org
Objet : Re: [Bro] Ignore 802.1Q vlan-tagging> I'm curious if anyone has a patch which allows bro to essentially
> ignore the 802.1Q header if present. Alternatively could someone point
> me to where in the code I should look so that I can modify the code
> myself?Add the "vlan" keyword to the beginning of your filter so that BPF passes the packets on to Bro and then load the "vlan" script.
There is a set of changes in the pipe now that will make this a little more straightforward (and do the same thing for MPLS), but what's there now should work fine for you if you are just working with VLAN tagged packets.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/_______________________________________________
Bro mailing list
bro@bro-ids.org
mailman.icsi.berkeley.edu Mailing Lists
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net
vlan.diff (1.93 KB)