[Bro] Issue with small pcap files and -r

Siwek, Jonathan Luke jsiwek at illinois.edu
Tue Jan 8 14:24:35 PST 2013


> I might have some free cycles to poke at adding this functionality, it
> may be entirely out of may capability at the moment but any help of
> "if I were going to add it this is where it would need to go" would be
> helpful in figuring out if I can do it or not.

I think GRE tunnel decapsulation should look pretty similar to IP tunnel decapsulation which is coded in NetSessions::DoNextPacket() of Sessions.cc -- look for the switch statement cases for IPPROTO_IPV4/IPPROTO_IPV6.  You might be able to simply lump IPPROTO_GRE in with that code block if you modify NetSessions::ParseIPPacket() to be able to extract the inner IP packet from a GRE encapsulation (possibly generating a some new "gre_packet_header" event with the parsed header fields) and also change the EncapsulatingConn constructor to explicitly require the type of tunnel as an argument.  Enum values for the tunnel types are defined in types.bif; it would make sense to add a new GRE type there.

    Jon



More information about the Bro mailing list