[Bro] Ignore 802.1Q vlan-tagging

Seth Hall seth at icir.org
Tue Jan 18 17:22:59 PST 2011

On Jan 18, 2011, at 5:44 PM, Bryce Boe wrote:

> I'm curious if anyone has a patch which allows bro to essentially
> ignore the 802.1Q header if present. Alternatively could someone point
> me to where in the code I should look so that I can modify the code
> myself?

Add the "vlan" keyword to the beginning of your filter so that BPF passes the packets on to Bro and then load the "vlan" script.

There is a set of changes in the pipe now that will make this a little more straightforward (and do the same thing for MPLS), but what's there now should work fine for you if you are just working with VLAN tagged packets.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list