[Bro] Ignore 802.1Q vlan-tagging

j.sentier206 j.sentier206 at laposte.net
Wed Jan 19 05:48:03 PST 2011


Here is a little patch (to bro1.5.2) I made to get both vlan traffic and regular ethernet traffic at the same time.
It could prove useful to you

> Message du 19/01/11 02:24
> De : "Seth Hall" 
> A : "Bryce Boe" 
> Copie à : bro at bro-ids.org
> Objet : Re: [Bro] Ignore 802.1Q vlan-tagging
>
> 
> 
> On Jan 18, 2011, at 5:44 PM, Bryce Boe wrote:
> 
> > I'm curious if anyone has a patch which allows bro to essentially
> > ignore the 802.1Q header if present. Alternatively could someone point
> > me to where in the code I should look so that I can modify the code
> > myself?
> 
> 
> Add the "vlan" keyword to the beginning of your filter so that BPF passes the packets on to Bro and then load the "vlan" script.
> 
> There is a set of changes in the pipe now that will make this a little more straightforward (and do the same thing for MPLS), but what's there now should work fine for you if you are just working with VLAN tagged packets.
> 
> .Seth
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> 

Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: vlan.diff
Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110119/ffb5ec31/attachment.ksh 


More information about the Bro mailing list