[Bro] Analayzing vlan + normal traffic concurrently
Faisal Iqbal
iqbalf at ucalgary.ca
Fri Jun 11 16:48:58 PDT 2010
Hi,
I have few network traces to analyze [for traffic classification] which
have vlan headers for certain subnets, and I'm not able to analyze them
using bro. I can use "@load vlan" filter but then I'm only able to read
vlan traffic, and makes Bro skip on normal [non-vlan] traffic.
In my setup, some subnets in my traces are on vlan and further, these
subnets have only inbound traffic on vlan while outbound traffic seems
to be direct [no vlan header in outbound packets]. Due to above
mentioned issue I have to pass each trace twice using different filters
and I'm getting two uni-directional flows for each bidirectional flow.
I searched Bro mailing list and from the previous posts, I feel that Bro
does not support reading vlan and non-vlan traffic concurrently. Is this
assumption correct or there is some way/hack to actually analyze them at
the same time?
Also since I'm using Bro for offline traces, does anyone know a way to
somehow modify the trace file to *fix* vlan traffic and change it to the
normal traffic.
Thanks for the help :)
-Faisal
More information about the Bro
mailing list