[Bro] Multiple encapsulation
Vern Paxson
vern at icir.org
Thu Jan 17 08:02:32 PST 2008
> sample trace:
>
> MPLS: 4 bytes
> MPLS: 4 bytes
> IP: 20 bytes
> UDP: 8 bytes
> L2TP: 8 bytes
> PPP: 4 bytes
> Total encapsulation headers: 48 bytes
>
> I tried playing around with parse_udp_tunnels, udp_tunnel_port and
> encap_hdr_size (set to 48), but without any real success. Any chance I
> can get this working?
Bro doesn't have this sort of multiple layers of tunneling built into it
in a ready-to-use form. In general, you could modify its dynamic protocol
analysis to do this; but I think easiest would be to hack it in directly,
right after packets are read, with code hardwired to know how to decapsulate
the different types of tunneling present in your traces.
Vern
More information about the Bro
mailing list