[Bro] Bro vlan tagging

Vern Paxson vern at icir.org
Mon Sep 19 17:12:47 PDT 2005

> If you need to filter on a specific tag, I believe pcap.bro will need
> some tweaking.

For a VLAN with tag XX, I think the following might work (in place of
loading vlan.bro):

	redef restrict_filters += { ["vlan"] = "vlan XX" };
	redef encap_hdr_size = 4;

or for a set of VLAN's with tags XX, YY and ZZ:

	redef restrict_filters += { ["vlan"] = "vlan XX or vlan YY or vlan ZZ" };
	redef encap_hdr_size = 4;

- Vern

More information about the Bro mailing list