[Bro] Bro vlan tagging
Christian Kreibich
christian at whoop.org
Mon Sep 19 16:18:07 PDT 2005
On Mon, 2005-09-19 at 15:25 -0700, Joncarlo Ruggieri wrote:
> Hi,
>
> Thanks for the quick replies!
>
> Within vlan.bro, will I need to define the vlans and their tags?
>
> I see:
>
> redef restrict_filters += { ["vlan"] = "vlan" };
>
> Do I list a vlan name within the ["vlan"] and some tag information within
> the other "vlan"? Is the second part an actual tag or subnet/mask data?
Have a look at pcap.bro, where restrict_filters is defined. The former
"vlan" is just a textual identifier, the second is the actual addition
to the pcap filtering expression that will narrow the filtering down
further -- it effectively comes down to filtering "vlan and (remaining
filter)".
What Adam and Scott meant was to just @load vlan.bro into your
configuration, not change anything inside vlan.bro.
If you need to filter on a specific tag, I believe pcap.bro will need
some tweaking. Let us know if that's the case (or everyone please do
correct me if I'm wrong).
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list