[Bro] Analayzing vlan + normal traffic concurrently

Vern Paxson vern at icir.org
Sun Jun 13 23:01:24 PDT 2010

> ... I feel that Bro
> does not support reading vlan and non-vlan traffic concurrently. Is this
> assumption correct


> Also since I'm using Bro for offline traces, does anyone know a way to
> somehow modify the trace file to *fix* vlan traffic and change it to the
> normal traffic.

There's a handy utility "vstrip", written by Eli Dart, that will take a
pcap file and remove VLAN headers in it.  I've put a copy at:


I also have a modified version that can strip out multiple VLAN tags
(which we've found some switches can generate).  Let me know if you need
that one.


