[Bro] bro help please

Vern Paxson vern at icir.org
Wed Apr 7 08:01:48 PDT 2010


> adding support for other encapsulation types seem to just be a matter of
> telling bro what the offset to the data is at the end of src/PktSrc.cc

Yeah, that should generally suffice provided it's a fixed-length header.
Conceptually Bro would also need to be told per packet's encapsulated
within it (e.g., IPv4 vs. ARP), but it actually has a hack to figure this
out itself.

		Vern



More information about the Bro mailing list