[Bro] ERSPAN & Missing Logs
seth at corelight.com
Fri Jun 30 07:51:46 PDT 2017
If you could send me a few packets of traffic captured with tcpdump I
could take a look for you (I wrote the RSPAN support). Sometimes it's
hard to verify that parsers will always work with all versions of
protocols and all usage of a protocol.
On Tue, Jun 27, 2017 at 4:30 PM, Kyle Reidell <kir215 at email.vccs.edu> wrote:
> Hello all,
> I am attempting to monitor a Cisco CSR1000v within AWS via ERSPAN. Through
> my research, I am running Bro version 2.5-147 on an AWS Linux AMI and have
> uploaded a pcap containing ERSPAN data which I have been able to read;
> however, the only log files that are being created from Bro/live traffic are
> the following:
> As a test, I have used tcpdump to capture packets on the configured
> interface (mon0) which sees plenty of traffic, however, I still cannot see
> the corresponding logs from Bro.
> Any help would be greatly appreciated!!
> Thank you,
> Bro mailing list
> bro at bro-ids.org
Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
More information about the Bro