[Bro] Multiple encapsulation

Fabian Hensel irdeto at gmail.com
Thu Jan 17 05:59:28 PST 2008


I have a rather urgent problem. For the evaluation of my diploma
thesis, I want to run Bro in a DSL-Core Network. The traffic there is
encapsulated multiple times and Bro does not inspect the real payload
without adjustment. This is what I could determine from looking at a
sample trace:

MPLS: 4 bytes
MPLS: 4 bytes
IP: 20 bytes
UDP: 8 bytes
L2TP: 8 bytes
PPP: 4 bytes
Total encapsulation headers: 48 bytes

I tried playing around with parse_udp_tunnels, udp_tunnel_port and
encap_hdr_size (set to 48), but without any real success. Any chance I
can get this working?

Regards - Fabian

More information about the Bro mailing list