[Bro-Dev] Local MPLS coding support

Seth Hall seth at icir.org
Thu Oct 28 11:54:38 PDT 2010


Hi Keith!  I left the full message you sent me for the benefit of everyone on the bro-dev mailing list.

I just pushed a branch to our git repository that has more complete support for MPLS.  I'd appreciate it if you could try it.  I added some functionality to it that the patch in the tracker doesn't have.

* Supports MPLS over Ethernet (which is likely what you're sniffing).
* Builds the appropriate BPF filter so that MPLS encapsulated and non-encapsulated traffic is sent through.

You just need to make sure and load the mpls.bro script.  It *should* just work from that point (no filters to add or anything).  If you define your own filter on the command line (with the -f flag), then the auto mpls support will not work.  You will have to define the appropriate mpls filter in that case.

If this works for you, then you can have your intern work on something else. :P   Let us know if you have staff time needing projects to work on, I'm sure we can figure something out.  

git clone git://git.icir.org/bro
git checkout origin/topic/seth/mpls (ignore all of the warnings)
<do the normal build and install stuff>

  .Seth


On Oct 28, 2010, at 11:27 AM, Keith Lehigh wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Seth,
>    Hope all is going well for you with getting your head wrapped around
> plans for the future of Bro.
>    We may have some hours available from an intern here to put to work
> on solving our MPLS problem with Bro.  This is one of a couple different
> projects I have in mind, but before I get too far into considering this,
> I wanted to get a little input from you.
>    I would aim to have this support added in such a way that it is
> generic to any flavor of encapsulation and could be contributed back as
> patches.  Given that this person won't be working for us long term, I'm
> not interested in having him make some local hacks which quickly
> become unmaintainable.  As such, do you think the internals of Bro will
> change enough in the near future to make this irrelevant?
>    This question may be more directed at Robin.  Am I being overly
> naive in the amount of effort and rewriting that would need to be done
> to make this work?  I'm pretty sure the intern will need to get some
> time in just getting up to speed on Bro, but I think he doesn't have to
> be a subject matter expert on Bro.  Again, am I being naive?
>    If we go with this project, I'll direct our intern to put questions
> to the Bro list so the community gains from the discussion and have him
> make comments/submissions on the tracker ticket for this issue.
>    Thanks!
> 
> - - Keith
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (Darwin)
> 
> iD8DBQFMyZZmW5AQrvjB4mcRAuEUAJ9Fj7Ti+YuvfvXNzFd9uMAqN7x8OQCeNfUG
> a1TeCo9z20D+hjHx5868oYE=
> =7VFU
> -----END PGP SIGNATURE-----





More information about the bro-dev mailing list