[Bro] erspan decapsulation
Giedrius Ramas
giedrius.ramas at gmail.com
Thu Apr 16 00:57:13 PDT 2015
Thanks for reply,
I just figure out that I need to skip some bytes of package header. In my
current case I need to skip 22 bytes. So I edited ini-bare.bro file and
changed encap_hdr_size = 0 line to encap_hdr_size = 22 . BRO can now
understand traffic. Do not know if I made a correct fix. Let me know if it
is not a right way to do .
On Wed, Apr 15, 2015 at 3:09 PM, Seth Hall <seth at icir.org> wrote:
>
> > On Apr 14, 2015, at 10:57 AM, Giedrius Ramas <giedrius.ramas at gmail.com>
> wrote:
> >
> > Hello, we have problems with ERSPAN package. Is there anyway BRO could
> understand them ?
>
> Could you privately provide us a small packet capture of ERSPAN packets?
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150416/376804d4/attachment.html
More information about the Bro
mailing list