[Bro] Analayzing vlan + normal traffic concurrently
Robin Sommer
robin at icir.org
Mon Jun 14 09:11:16 PDT 2010
(This was written before Vern's response but I forgot to send it.
The tool he mentions is probably the better one.)
On Fri, Jun 11, 2010 at 17:48 -0600, you wrote:
> I searched Bro mailing list and from the previous posts, I feel that Bro
> does not support reading vlan and non-vlan traffic concurrently. Is this
> assumption correct or there is some way/hack to actually analyze them at
Yes, that's right, there's no support for this yet. It shouldn't be
too hard too add though. I have an experimental patch for adding
dynamic MPLS decapsulation and VLAN could probably be done in a
similar way. Let me know if you're interested in that patch.
> Also since I'm using Bro for offline traces, does anyone know a way to
> somehow modify the trace file to *fix* vlan traffic and change it to the
> normal traffic.
Google finds this:
http://www.life-gone-hazy.com/src/tcpdump-tools/tcpdump-strip-vlans.c
Haven't tried it though ...
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list