[Bro] BRO with MPLS + 802.1 Q vlan

Veronica Estrada estrada.veronica at gmail.com
Tue Feb 23 23:37:48 PST 2010


Thanks everyone for the fast answer.
I patched bro with the file that Robin sent me but I cannot make it works. I
have two questions.

1) The patch says " We only support MPLS over DLT_PPP_SERIAL links
currently."
What should I modify if I want to analyze MPLS over 802.1Q/Ethernet?
The protocol hierarchy seen in my data is:
Frame
-Ethernet
--802.1Q Virtual LAN
---Internet Protocol
----TCP
----UDP
----Data
---MPLS
----TCP
----UDP
----Data
----ICMP
--Short Frame
2) When I run bro using the patch I run bro using this option have_mpls="T"
but I get
<params>, line 1 (have_mpls): error, "redef" used but not previously defined
Where should I redefine this variable or should I load any special filter?


Veronica Estrada
Nakao's Laboratory
The University of Tokyo




On Tue, Feb 23, 2010 at 2:19 AM, Robin Sommer <robin at icir.org> wrote:

>
> On Mon, Feb 22, 2010 at 08:09 -0500, Seth Hall wrote:
>
> > Bro doesn't support MPLS packets currently.  Patches are welcome
> > however. :)
>
> I have one for MPLS actually, it's attached. However, it is old and
> hasn't seen much testing, which is why it never made it into the
> distribution. It may also not apply cleanly anymore.
>
> The patch adds a new option "mpls_link" that needs to be redefed to
> true.
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100224/ca3838d7/attachment.html 


More information about the Bro mailing list