[Bro] Logging VLAN IDs

James Lay jlay at slave-tothe-box.net
Tue Apr 14 10:43:14 PDT 2015 

On 2015-04-14 10:59 AM, Thomas, Eric D wrote:
> Dear Bro developers,
>
> I've been tasked with trying to modify the Bro source code so that
> conn.log includes the VLAN IDs (including 802.1ah) that have been 
> observed
> in packets associated with that connection. I've scoped out a 
> solution,
> but I want to run it by you first before I start to go for it, in 
> case I'm
> missing something really big.
>
> PktSrc::Process() does processing of VLAN and 802.1ah, but it just 
> skips
> over them by advancing the data pointer. I will, in addition, store 
> those
> VLAN IDs in a new member of the modified PktSrc class. This gets 
> passed on
> through net_packet_dispatch() and NetSessions::DispatchPacket(). At 
> this
> point NetSessions::NextPacket() gets called, but since the PktSrc 
> doesn't
> get passed to it, I'd need another way to pass it the VLAN ID. I am
> considering two options:
>
> 1. duplicate NextPacket() adding a new parameter to pass it the VLAN 
> IDs,
> and call that instead, or
> 2. store the VLAN IDs in the NetSessions class, in DispatchPacket() 
> so
> it¹s available to NextPacket() and DoNextPacket() <- Is there a 
> reason
> this wouldn¹t work, e.g. issues with 
> multi-threading/multi-processing?
>
> Is there one option that seems better to you?
>
> NetSessions::DoNextPacket() is called next and I would also need a
> modification to pass it VLAN IDs, using one of the options above. In 
> this
> method we finally get access to the appropriate Connection instance, 
> so I
> would store the VLAN IDs in that instance in DoNextPacket().
>
> I'd need to modify the Connection class in Conn.h to include a new 
> member
> for tracking VLAN IDs. I'd modify Connection::BuildConnVal() and
> scripts/base/init-bare.bro's connection record to make the VLAN IDs
> available to scripts. Lastly, I'd write a script to redef the conn 
> Info
> structure and handle one or more connection events (perhaps
> connection_state_remove) to copy the VLAN IDs from the connection 
> record
> to the Info record.
>
> Is there anything I'm missing? Is there a better way to approach 
> this?

And a big +1 to this.  Would love to be able to filter VLAN's as well 
as we have listen to physical interfaces that have other interfaces 
mirrored that include some unwanted VLAN's.

James

More information about the Bro mailing list