[Bro-Dev] Tunnels

Seth Hall seth at icir.org
Thu Jul 28 17:28:18 PDT 2011

On Jul 28, 2011, at 4:49 PM, Gregor Maier wrote:

> * What was the intention of this code?

There is a lot of guessing here as the code was written before I started working with Bro.  The only way I have seen encap_hdr_size used is to remove VLAN headers.  That is done properly now so that use of the encap_hdr_size variable is gone.  

I have no clue what UDP tunnels were being decapsulated though.  In my opinion it was probably something that should have been done with an analyzer anyway and is probably ok to remove.

> * All this happens before IP fragmentation.

Like above, I think it's because it's to remove lower level encapsulation.

> * What should we do with this? Fix? Remove? Modify?

I say remove.  I was tempted to do it when I fixing the VLAN and MPLS handling but I had the same questions as you.

> Note, the reason I was looking at this code is that I want to write 
> something that can decapsulate tunneled IPv6 packets (6in4, 6to4, Teredo).

I have code to do this written for Click! and it's fortunately very easy (I have AYIYA decapsulation code too).  The problem is that you have two IP layer headers and only the one with your address space makes any sense.  It's really confusing to see two non-local networks show up in your conn.log because it was a local host using tunneled address space.

I think we need the ability in the connection record to specify a parent connection or something.  I suppose even just logging the presence of a tunnel may be enough.  There are a lot of questions that will need answered once we start decapsulating tunnels.

I say go for it! :)


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the bro-dev mailing list