[Bro-Dev] [EXTERNAL] Re: [Bro] Logging VLAN IDs
vlad at grigorescu.org
Mon Sep 21 09:20:29 PDT 2015
Apologies for resurrecting an old thread.
I'm wondering if anyone has given any further thought to or done any work
on this. While looking at BIT-1480 (adding ERSPAN decapsulation support), I
was reminded of what a mess Sessions.cc currently is. I think moving
towards passing a Packet structure around would help to simplify things a
lot - possibly by breaking up the code into per-protocol classes.
Curious to hear any thoughts. Thanks,
On Thu, May 7, 2015 at 4:17 PM, Thomas, Eric D <edthoma at sandia.gov> wrote:
> That sounds good! Both ideas seem to add an interesting level of
> additional flexibility and analytic potential.
> Eric Thomas
> edthoma at sandia.gov
> On 4/29/15, 4:59 PM, "Robin Sommer" <robin at broala.com> wrote:
> >What if we did a combination of what I suggested and your thoughts
> >here? We carry link-level features through to script-land inside the
> >connection record, and in addition allowed to transfer a custom subset
> >over to the connection ID for hashing? The latter could be done later
> >as a second step.
> >On Tue, Apr 28, 2015 at 18:32 +0000, you wrote:
> >> Hi Robin,
> >> I thought more about your generalized idea and would like to follow up.
> >> start, adding link-level features to the connection ID hash, while
> >> useful in some contexts, does not provide us the functionality we
> >> I have an incoming feed of VLAN-tagged traffic (both VLAN and 802.1ah)
> >> with perhaps dozens of different VLANs, and I would like to handle the
> >> connections differently in scripts but also mainly in offline log
> >> depending upon which VLANs the traffic is associated with.
> >> Initially I had proposed simply adding the VLAN Ids to the conn.log
> >> but that is certainly too specific of a solution. What are your thoughts
> >> on exposing link-level features at the script layer for connections? For
> >> example, if all observed VLAN tags for a connection were in a set
> >> of the script-level Connection record, I could then label my data by
> >> matching VLAN Ids, then process them differently accordingly. Thoughts?
> >Robin Sommer * Broala, LLC * robin at broala.com * www.broala.com
> bro-dev mailing list
> bro-dev at bro.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bro-dev