[Bro] erspan decapsulation
kristoffer.bjork at gmail.com
Thu Apr 16 08:15:47 PDT 2015
However, to me it looks like 50bytes instead of 22 bytes? Like in this:
But i guess bro deencapsulates the gre tunnel for you?
On Thu, Apr 16, 2015 at 4:46 PM, Kristoffer Björk <
kristoffer.bjork at gmail.com> wrote:
> It should be ok to chop off the first bytes.
> ERSPAN is basically cisco rspan with a GRE encapsulation.
> I have been using GULP (https://staff.washington.edu/corey/gulp/) and
> piping from gulp to bro -r - but your method is much cleaner way of doing
> Beware of not MTU issues though, since packets might get chopped off at
> the end if they do not fit after the GRE encapsulation
> On Thu, Apr 16, 2015 at 9:57 AM, Giedrius Ramas <giedrius.ramas at gmail.com>
>> Thanks for reply,
>> I just figure out that I need to skip some bytes of package header. In my
>> current case I need to skip 22 bytes. So I edited ini-bare.bro file and
>> changed encap_hdr_size = 0 line to encap_hdr_size = 22 . BRO can now
>> understand traffic. Do not know if I made a correct fix. Let me know if it
>> is not a right way to do .
>> On Wed, Apr 15, 2015 at 3:09 PM, Seth Hall <seth at icir.org> wrote:
>>> > On Apr 14, 2015, at 10:57 AM, Giedrius Ramas <giedrius.ramas at gmail.com>
>>> > Hello, we have problems with ERSPAN package. Is there anyway BRO could
>>> understand them ?
>>> Could you privately provide us a small packet capture of ERSPAN packets?
>>> Seth Hall
>>> International Computer Science Institute
>>> (Bro) because everyone has a network
>> Bro mailing list
>> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro