[Bro] Bro and APCON
bro at pingtrip.com
Wed Apr 27 09:41:22 PDT 2016
Thanks for the update Josh! Another hard lesson learned today was that the Apcon requires a power-cycle if any physical changes are made. For us it was removing/replacing a SFP during testing. Were were seeing an extremely high number of “ethertype unknown” with arbitrary values (in a 1000 packet sample tcpdump reported 340 unique unknown ethertype values) this issue cleared after power-cycling the Apcon.
> On Apr 27, 2016, at 10:14 AM, Josh Guild <josh.guild at morphick.com> wrote:
> Hey Dave,
> Still doing some preliminary analysis but we had one of our clients strip the VLAN protocol on our egress ports from the APCON and it allowed Bro/PF_Ring to sessionize the traffic properly (we had tried different -tuples in our set up previously). We have a test we run that checks each level of our framework to make sure we have the proper visibility. This was always a scattershot of what was logged by Bro but, after we stripped the VLAN protocol going to our box, it was cleaned up and looked good.
> I'm going to have them strip the FabricPath protocol and see how that affects the traffic as well (can only strip one protocol at a time).
> Odd thing is, the weird.log entries were still roughly the same with the VLANs stripped, so it was something with how Bro or PF_Ring was handling the incoming packets from the APCON.
> Research continues!
More information about the Bro