[Bro] ERSPAN & Missing Logs

Seth Hall seth at corelight.com
Fri Jun 30 07:51:46 PDT 2017

If you could send me a few packets of traffic captured with tcpdump I
could take a look for you (I wrote the RSPAN support).  Sometimes it's
hard to verify that parsers will always work with all versions of
protocols and all usage of a protocol.


On Tue, Jun 27, 2017 at 4:30 PM, Kyle Reidell <kir215 at email.vccs.edu> wrote:
> Hello all,
> I am attempting to monitor a Cisco CSR1000v within AWS via ERSPAN. Through
> my research, I am running Bro version 2.5-147 on an AWS Linux AMI and have
> uploaded a pcap containing ERSPAN data which I have been able to read;
> however, the only log files that are being created from Bro/live traffic are
> the following:
> capture_loss
> stats
> stderr
> stdout
> weird
> communication
> As a test, I have used tcpdump to capture packets on the configured
> interface (mon0) which sees plenty of traffic, however, I still cannot see
> the corresponding logs from Bro.
> Any help would be greatly appreciated!!
> Thank you,
> Planearium
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com

More information about the Bro mailing list