[Bro] Bro and APCON

Josh Guild josh.guild at morphick.com
Wed Apr 27 09:46:24 PDT 2016

That's interesting, I'll be sure to add that to my debugging cheatsheet for

On Wed, Apr 27, 2016 at 12:41 PM, Dave Crawford <bro at pingtrip.com> wrote:

> Thanks for the update Josh! Another hard lesson learned today was that the
> Apcon requires a power-cycle if any physical changes are made. For us it
> was removing/replacing a SFP during testing. Were were seeing an extremely
> high number of “ethertype unknown” with arbitrary values (in a 1000 packet
> sample tcpdump reported 340 unique unknown ethertype values) this issue
> cleared after power-cycling the Apcon.
> -Dave
> > On Apr 27, 2016, at 10:14 AM, Josh Guild <josh.guild at morphick.com>
> wrote:
> >
> > Hey Dave,
> >
> > Still doing some preliminary analysis but we had one of our clients
> strip the VLAN protocol on our egress ports from the APCON and it allowed
> Bro/PF_Ring to sessionize the traffic properly (we had tried different
> -tuples in our set up previously). We have a test we run that checks each
> level of our framework to make sure we have the proper visibility. This was
> always a scattershot of what was logged by Bro but, after we stripped the
> VLAN protocol going to our box, it was cleaned up and looked good.
> >
> > I'm going to have them strip the FabricPath protocol and see how that
> affects the traffic as well (can only strip one protocol at a time).
> >
> > Odd thing is, the weird.log entries were still roughly the same with the
> VLANs stripped, so it was something with how Bro or PF_Ring was handling
> the incoming packets from the APCON.
> >
> > Research continues!

Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160427/939a0043/attachment.html 

More information about the Bro mailing list