[Bro] is vlan bpf broken in bro

erik clark philosnef at gmail.com
Wed Mar 29 07:17:56 PDT 2017

Per this thread:


tcpdump can't process vlan filters. Testing confirms this.

>From link:

tcpdump -i eth0 -Uw - | tcpdump -en -r - vlan 4

This works and displays only vlan 4 stuff. The reverse does not:

tcpdump -i eth0 -Uw - "vlan 4" |tcpdump -en -r -

This displays ALL vlans tagged in the traffic, and not just vlan 4.

This is on RHEL 7. Apparently there are some  issues with x86_64 vlan

The short of it: Will bro respect vlan filters, or does it have the same
issue that tcpdump and libpcap seem to have?
