[Bro] erspan decapsulation
giedrius.ramas at gmail.com
Thu Apr 16 00:57:13 PDT 2015
Thanks for reply,
I just figure out that I need to skip some bytes of package header. In my
current case I need to skip 22 bytes. So I edited ini-bare.bro file and
changed encap_hdr_size = 0 line to encap_hdr_size = 22 . BRO can now
understand traffic. Do not know if I made a correct fix. Let me know if it
is not a right way to do .
On Wed, Apr 15, 2015 at 3:09 PM, Seth Hall <seth at icir.org> wrote:
> > On Apr 14, 2015, at 10:57 AM, Giedrius Ramas <giedrius.ramas at gmail.com>
> > Hello, we have problems with ERSPAN package. Is there anyway BRO could
> understand them ?
> Could you privately provide us a small packet capture of ERSPAN packets?
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro