Multiple encapsulation

Hi

I have a rather urgent problem. For the evaluation of my diploma
thesis, I want to run Bro in a DSL-Core Network. The traffic there is
encapsulated multiple times and Bro does not inspect the real payload
without adjustment. This is what I could determine from looking at a
sample trace:

MPLS: 4 bytes
MPLS: 4 bytes
IP: 20 bytes
UDP: 8 bytes
L2TP: 8 bytes
PPP: 4 bytes
Total encapsulation headers: 48 bytes

I tried playing around with parse_udp_tunnels, udp_tunnel_port and
encap_hdr_size (set to 48), but without any real success. Any chance I
can get this working?

Regards - Fabian

I just realized. I had to do a

redef capture_filters += { ["mpls"] = "mpls"};
redef encap_hdr_size = 48;

Because the outermost encapsulation is MPLS...

- Fabian

sample trace:

MPLS: 4 bytes
MPLS: 4 bytes
IP: 20 bytes
UDP: 8 bytes
L2TP: 8 bytes
PPP: 4 bytes
Total encapsulation headers: 48 bytes

I tried playing around with parse_udp_tunnels, udp_tunnel_port and
encap_hdr_size (set to 48), but without any real success. Any chance I
can get this working?

Bro doesn't have this sort of multiple layers of tunneling built into it
in a ready-to-use form. In general, you could modify its dynamic protocol
analysis to do this; but I think easiest would be to hack it in directly,
right after packets are read, with code hardwired to know how to decapsulate
the different types of tunneling present in your traces.

    Vern

redef capture_filters += { ["mpls"] = "mpls"};
redef encap_hdr_size = 48;

Because the outermost encapsulation is MPLS...

If the encapsulation is always the same and fixed-sized, then yes, this
can do the trick. My earlier reply was for cases where the encapsulation
varies.

    Vern

I actually do have an experimental patch for this somewhere. Fabian,
please send me a mail if you still need it.

Robin