[Bro] Ignore 802.1Q vlan-tagging
seth at icir.org
Tue Jan 18 17:22:59 PST 2011
On Jan 18, 2011, at 5:44 PM, Bryce Boe wrote:
> I'm curious if anyone has a patch which allows bro to essentially
> ignore the 802.1Q header if present. Alternatively could someone point
> me to where in the code I should look so that I can modify the code
Add the "vlan" keyword to the beginning of your filter so that BPF passes the packets on to Bro and then load the "vlan" script.
There is a set of changes in the pipe now that will make this a little more straightforward (and do the same thing for MPLS), but what's there now should work fine for you if you are just working with VLAN tagged packets.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro