[Bro] Analayzing vlan + normal traffic concurrently
Vern Paxson
vern at icir.org
Sun Jun 13 23:01:24 PDT 2010
> ... I feel that Bro
> does not support reading vlan and non-vlan traffic concurrently. Is this
> assumption correct
Yes.
> Also since I'm using Bro for offline traces, does anyone know a way to
> somehow modify the trace file to *fix* vlan traffic and change it to the
> normal traffic.
There's a handy utility "vstrip", written by Eli Dart, that will take a
pcap file and remove VLAN headers in it. I've put a copy at:
http://www.icir.org/vern/tmp/vstrip.tar
I also have a modified version that can strip out multiple VLAN tags
(which we've found some switches can generate). Let me know if you need
that one.
Vern
More information about the Bro
mailing list