[Bro] erspan decapsulation
Kristoffer Björk
kristoffer.bjork at gmail.com
Thu Apr 16 07:46:05 PDT 2015
It should be ok to chop off the first bytes.
ERSPAN is basically cisco rspan with a GRE encapsulation.
I have been using GULP (https://staff.washington.edu/corey/gulp/) and
piping from gulp to bro -r - but your method is much cleaner way of doing
it.
Beware of not MTU issues though, since packets might get chopped off at the
end if they do not fit after the GRE encapsulation
//K
On Thu, Apr 16, 2015 at 9:57 AM, Giedrius Ramas <giedrius.ramas at gmail.com>
wrote:
> Thanks for reply,
> I just figure out that I need to skip some bytes of package header. In my
> current case I need to skip 22 bytes. So I edited ini-bare.bro file and
> changed encap_hdr_size = 0 line to encap_hdr_size = 22 . BRO can now
> understand traffic. Do not know if I made a correct fix. Let me know if it
> is not a right way to do .
>
>
> On Wed, Apr 15, 2015 at 3:09 PM, Seth Hall <seth at icir.org> wrote:
>
>>
>> > On Apr 14, 2015, at 10:57 AM, Giedrius Ramas <giedrius.ramas at gmail.com>
>> wrote:
>> >
>> > Hello, we have problems with ERSPAN package. Is there anyway BRO could
>> understand them ?
>>
>> Could you privately provide us a small packet capture of ERSPAN packets?
>>
>> .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>>
>>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150416/5c5b1b4f/attachment-0001.html
More information about the Bro
mailing list