[Bro] Ignore 802.1Q vlan-tagging
Seth Hall
seth at icir.org
Tue Jan 18 17:22:59 PST 2011
On Jan 18, 2011, at 5:44 PM, Bryce Boe wrote:
> I'm curious if anyone has a patch which allows bro to essentially
> ignore the 802.1Q header if present. Alternatively could someone point
> me to where in the code I should look so that I can modify the code
> myself?
Add the "vlan" keyword to the beginning of your filter so that BPF passes the packets on to Bro and then load the "vlan" script.
There is a set of changes in the pipe now that will make this a little more straightforward (and do the same thing for MPLS), but what's there now should work fine for you if you are just working with VLAN tagged packets.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list