[Bro] Multiple encapsulation
Fabian Hensel
irdeto at gmail.com
Thu Jan 17 05:59:28 PST 2008
Hi
I have a rather urgent problem. For the evaluation of my diploma
thesis, I want to run Bro in a DSL-Core Network. The traffic there is
encapsulated multiple times and Bro does not inspect the real payload
without adjustment. This is what I could determine from looking at a
sample trace:
MPLS: 4 bytes
MPLS: 4 bytes
IP: 20 bytes
UDP: 8 bytes
L2TP: 8 bytes
PPP: 4 bytes
Total encapsulation headers: 48 bytes
I tried playing around with parse_udp_tunnels, udp_tunnel_port and
encap_hdr_size (set to 48), but without any real success. Any chance I
can get this working?
Regards - Fabian
More information about the Bro
mailing list