[Bro] Multiple encapsulation
Fabian Hensel
irdeto at gmail.com
Thu Jan 17 08:01:38 PST 2008
I just realized. I had to do a
redef capture_filters += { ["mpls"] = "mpls"};
redef encap_hdr_size = 48;
Because the outermost encapsulation is MPLS...
- Fabian
On Jan 17, 2008 4:01 PM, Ashley Thomas <ashley.thomas at gmail.com> wrote:
> What would be the tcpdump filter you would use in that setup
> let's say to capture only tcp packets.
>
> Bro uses libpcap like tcpdump to capture the packets.
>
> You can modify the filters that's there in the policy scripts to read
> the packets
> off the network interface.
>
>
>
> On Jan 17, 2008 8:59 AM, Fabian Hensel <irdeto at gmail.com> wrote:
> > Hi
> >
> > I have a rather urgent problem. For the evaluation of my diploma
> > thesis, I want to run Bro in a DSL-Core Network. The traffic there is
> > encapsulated multiple times and Bro does not inspect the real payload
> > without adjustment. This is what I could determine from looking at a
> > sample trace:
> >
> > MPLS: 4 bytes
> > MPLS: 4 bytes
> > IP: 20 bytes
> > UDP: 8 bytes
> > L2TP: 8 bytes
> > PPP: 4 bytes
> > Total encapsulation headers: 48 bytes
> >
> > I tried playing around with parse_udp_tunnels, udp_tunnel_port and
> > encap_hdr_size (set to 48), but without any real success. Any chance I
> > can get this working?
> >
> > Regards - Fabian
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
>
>
>
> --
> Karmanye Vadhikaraste Ma Phaleshu Kadachana, Ma Karma Phala Hetur
> Bhurmatey Sangostva Akarmani
>
More information about the Bro
mailing list