[Bro-Dev] [EXTERNAL] Re: [Bro] Logging VLAN IDs
Robin Sommer
robin at broala.com
Wed Apr 29 16:59:07 PDT 2015
What if we did a combination of what I suggested and your thoughts
here? We carry link-level features through to script-land inside the
connection record, and in addition allowed to transfer a custom subset
over to the connection ID for hashing? The latter could be done later
as a second step.
Robin
On Tue, Apr 28, 2015 at 18:32 +0000, you wrote:
> Hi Robin,
>
> I thought more about your generalized idea and would like to follow up. To
> start, adding link-level features to the connection ID hash, while perhaps
> useful in some contexts, does not provide us the functionality we desire.
> I have an incoming feed of VLAN-tagged traffic (both VLAN and 802.1ah)
> with perhaps dozens of different VLANs, and I would like to handle the
> connections differently in scripts but also mainly in offline log analysis
> depending upon which VLANs the traffic is associated with.
>
> Initially I had proposed simply adding the VLAN Ids to the conn.log file,
> but that is certainly too specific of a solution. What are your thoughts
> on exposing link-level features at the script layer for connections? For
> example, if all observed VLAN tags for a connection were in a set variable
> of the script-level Connection record, I could then label my data by
> matching VLAN Ids, then process them differently accordingly. Thoughts?
>
--
Robin Sommer * Broala, LLC * robin at broala.com * www.broala.com
More information about the bro-dev
mailing list