[Bro] [EXTERNAL] Bro Digest, Vol 108, Issue 12

Adam Pumphrey apumphrey at ivsec.com
Wed Apr 15 06:36:11 PDT 2015


> I thought, if you are hoping to filter out traffic by VLANs, you can do a
> PCAP filter. Is that not true?


That’s correct, you can include or exclude VLAN traffic using Bro capture filters.  I believe PacketFilter::restricted_filter from the PacketFilter framework is for doing just that (https://www.bro.org/sphinx/scripts/base/frameworks/packet-filter/main.bro.html <https://www.bro.org/sphinx/scripts/base/frameworks/packet-filter/main.bro.html>).   

In fact, you need to use the VLAN keyword to do any IP filtering of VLAN tagged (802.1q) traffic.  It won’t work correctly otherwise.  

You can specify VLAN ID’s also, ex:  not (van 100 or vlan 101).  

You may also encounter multiple VLAN tags on a single packet, there you’ll need the correct number of VLAN keywords, ex: (vlan 100 and vlan 101).  

You could see asynchronous tagging where traffic from a particular stream heading in one direction has 1 tag and traffic going in the opposite direction has 2 or more, so directionality matters also. 

This is all true for MPLS encapsulated traffic too.  The filtering behavior is basically the same from what I’ve seen.  

> In my case, we do want to process different VLANs, but we need to log
> through which links the traffic was observed.


I agree, it would be helpful to have VLAN ID(’s) available in conn records if they are present.  Its valuable info when your troubleshooting tap and traffic mirroring configurations in complex environments.  

Adam

> On Apr 14, 2015, at 3:35 PM, Thomas, Eric D <edthoma at sandia.gov> wrote:
> 
>> 
>> And a big +1 to this.  Would love to be able to filter VLAN's as well
>> as we have listen to physical interfaces that have other interfaces
>> mirrored that include some unwanted VLAN's.
>> 
>> James
>> 
> 
> I thought, if you are hoping to filter out traffic by VLANs, you can do a
> PCAP filter. Is that not true?
> 
> In my case, we do want to process different VLANs, but we need to log
> through which links the traffic was observed.
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150415/acb76f4e/attachment.html 


More information about the Bro mailing list