[Bro] Logging VLAN IDs

Thomas, Eric D edthoma at sandia.gov
Tue Apr 14 09:59:58 PDT 2015


Dear Bro developers,

I've been tasked with trying to modify the Bro source code so that
conn.log includes the VLAN IDs (including 802.1ah) that have been observed
in packets associated with that connection. I've scoped out a solution,
but I want to run it by you first before I start to go for it, in case I'm
missing something really big.

PktSrc::Process() does processing of VLAN and 802.1ah, but it just skips
over them by advancing the data pointer. I will, in addition, store those
VLAN IDs in a new member of the modified PktSrc class. This gets passed on
through net_packet_dispatch() and NetSessions::DispatchPacket(). At this
point NetSessions::NextPacket() gets called, but since the PktSrc doesn't
get passed to it, I'd need another way to pass it the VLAN ID. I am
considering two options:

1. duplicate NextPacket() adding a new parameter to pass it the VLAN IDs,
and call that instead, or
2. store the VLAN IDs in the NetSessions class, in DispatchPacket() so
it¹s available to NextPacket() and DoNextPacket() <- Is there a reason
this wouldn¹t work, e.g. issues with multi-threading/multi-processing?

Is there one option that seems better to you?

NetSessions::DoNextPacket() is called next and I would also need a
modification to pass it VLAN IDs, using one of the options above. In this
method we finally get access to the appropriate Connection instance, so I
would store the VLAN IDs in that instance in DoNextPacket().

I'd need to modify the Connection class in Conn.h to include a new member
for tracking VLAN IDs. I'd modify Connection::BuildConnVal() and
scripts/base/init-bare.bro's connection record to make the VLAN IDs
available to scripts. Lastly, I'd write a script to redef the conn Info
structure and handle one or more connection events (perhaps
connection_state_remove) to copy the VLAN IDs from the connection record
to the Info record.

Is there anything I'm missing? Is there a better way to approach this?

-- 
Eric Thomas

edthoma at sandia.gov




More information about the Bro mailing list