[Bro] Analayzing vlan + normal traffic concurrently

Robin Sommer robin at icir.org
Mon Jun 14 09:11:16 PDT 2010

(This was written before Vern's response but I forgot to send it.
The tool he mentions is probably the better one.)

On Fri, Jun 11, 2010 at 17:48 -0600, you wrote:

> I searched Bro mailing list and from the previous posts, I feel that Bro
> does not support reading vlan and non-vlan traffic concurrently. Is this
> assumption correct or there is some way/hack to actually analyze them at

Yes, that's right, there's no support for this yet. It shouldn't be
too hard too add though. I have an experimental patch for adding
dynamic MPLS decapsulation and VLAN could probably be done in a
similar way. Let me know if you're interested in that patch.

> Also since I'm using Bro for offline traces, does anyone know a way to
> somehow modify the trace file to *fix* vlan traffic and change it to the
> normal traffic.

Google finds this:


Haven't tried it though ...


