[Bro] Bro vlan tagging

Christian Kreibich christian at whoop.org
Mon Sep 19 16:18:07 PDT 2005

On Mon, 2005-09-19 at 15:25 -0700, Joncarlo Ruggieri wrote:
> Hi,
> Thanks for the quick replies!
> Within vlan.bro, will I need to define the vlans and their tags?
> I see:
>  redef restrict_filters += { ["vlan"] = "vlan" };
> Do I list a vlan name within the ["vlan"] and some tag information within
> the other "vlan"?  Is the second part an actual tag or subnet/mask data?

Have a look at pcap.bro, where restrict_filters is defined. The former
"vlan" is just a textual identifier, the second is the actual addition
to the pcap filtering expression that will narrow the filtering down
further -- it effectively comes down to filtering "vlan and (remaining

What Adam and Scott meant was to just @load vlan.bro into your
configuration, not change anything inside vlan.bro.

If you need to filter on a specific tag, I believe pcap.bro will need
some tweaking. Let us know if that's the case (or everyone please do
correct me if I'm wrong).


More information about the Bro mailing list