[Bro] Analayzing vlan + normal traffic concurrently

Faisal Iqbal iqbalf at ucalgary.ca
Mon Jun 14 15:34:02 PDT 2010


I would definitely be interested in the patch. It'd save me [and I hope
several others] the time/space of stripping current and future traces
off the vlan tags.

For the moment, tcprewrite [pointed by Bernhard Ager] did the job
perfectly. I found that vstrip would mess up with the timestamps after
stripping but this might be a one off incident.

Thanks for the help everyone :)

-Faisal

On Mon, 2010-06-14 at 09:11 -0700, Robin Sommer wrote:
> (This was written before Vern's response but I forgot to send it.
> The tool he mentions is probably the better one.)
> 
> On Fri, Jun 11, 2010 at 17:48 -0600, you wrote:
> 
> > I searched Bro mailing list and from the previous posts, I feel that Bro
> > does not support reading vlan and non-vlan traffic concurrently. Is this
> > assumption correct or there is some way/hack to actually analyze them at
> 
> Yes, that's right, there's no support for this yet. It shouldn't be
> too hard too add though. I have an experimental patch for adding
> dynamic MPLS decapsulation and VLAN could probably be done in a
> similar way. Let me know if you're interested in that patch.
> 
> > Also since I'm using Bro for offline traces, does anyone know a way to
> > somehow modify the trace file to *fix* vlan traffic and change it to the
> > normal traffic.
> 
> Google finds this:
> 
>        http://www.life-gone-hazy.com/src/tcpdump-tools/tcpdump-strip-vlans.c
> 
> Haven't tried it though ...
> 
> Robin
> 




More information about the Bro mailing list