[Bro-Dev] Tunnels

Vern Paxson vern at icir.org
Fri Jul 29 10:13:50 PDT 2011

> Almost makes me wonder if eventually we'd want to have fake IP connections similarly to the fake udp connections?

I'm not following this.  Seems we'd instead want (1) a one-time event
that identifies the presence of a tunnel, (2) regular processing (via
an analyzer chain) of the traffic inside the tunnel, and (3) a way to
tell that a give connection record (or other network event) ultimately
stems from tunneled traffic.


More information about the bro-dev mailing list