Hi ya,
I'm just wondering, what will be the best approch to filter vlan tags when I
have Bro listening on two interfaces, which one needs to have a vlan
filter and the other doesn't?
If I enable "@load vlan" then Bro only monitors traffic on the interface
which needs to have vlan filter.
Here output from info logfile:
pcap bufsize = 4194304
listening on sf5
pcap bufsize = 4194304
listening on sf7
Bro Version: 1.3.2
Started with the following command line options: -W -i sf5 -i sf7 monitor.bro
Capture filter: (vlan) and (((((((((((port ftp) or (port smtp)) or (tcp[13] & 7 != 0)) or (port 111)) or (tcp src port 80 or tcp src port 8080 or tcp src port 8000)) or (port 6666)) or (port telnet or tcp port 513)) or ((ip[6:2] & 0x3fff != 0) and tcp)) or (udp port 69)) or (port 6667)) or (tcp dst port 80 or tcp dst port 8080 or tcp dst port 8000))
1191794420.634934 received termination signal
949304 packets received on interface sf5, 0 dropped
0 packets received on interface sf7, 0 dropped
As you can see, It hasn't received any packets from sf7. (sf7 = without vlan
tagging)
Kind regards,