[Bro] erspan decapsulation

Thu Apr 16 08:15:47 PDT 2015

However, to me it looks like 50bytes instead of 22 bytes? Like in this:
https://staff.washington.edu/corey/gulp/conv.c
But i guess bro deencapsulates the gre tunnel for you?

//K

On Thu, Apr 16, 2015 at 4:46 PM, Kristoffer Björk <
kristoffer.bjork at gmail.com> wrote:

> It should be ok to chop off the first bytes.
> ERSPAN is basically cisco rspan with a GRE encapsulation.
> I have been using GULP (https://staff.washington.edu/corey/gulp/) and
> piping from gulp to bro -r - but your method is much cleaner way of doing
> it.
> Beware of not MTU issues though, since packets might get chopped off at
> the end if they do not fit after the GRE encapsulation
>
> //K
>
> On Thu, Apr 16, 2015 at 9:57 AM, Giedrius Ramas <giedrius.ramas at gmail.com>
> wrote:
>
>> Thanks for reply,
>> I just figure out that I need to skip some bytes of package header. In my
>> current case I need to skip 22 bytes. So I edited ini-bare.bro file and
>> changed encap_hdr_size = 0 line to encap_hdr_size = 22 . BRO can now
>> understand traffic. Do not know  if I made a correct fix. Let me know if it
>> is not a right way to do .
>>
>>
>> On Wed, Apr 15, 2015 at 3:09 PM, Seth Hall <seth at icir.org> wrote:
>>
>>>
>>> > On Apr 14, 2015, at 10:57 AM, Giedrius Ramas <giedrius.ramas at gmail.com>
>>> wrote:
>>> >
>>> > Hello, we have problems with ERSPAN package. Is there anyway BRO could
>>> understand them ?
>>>
>>> Could you privately provide us a small packet capture of ERSPAN packets?
>>>
>>>   .Seth
>>>
>>> --
>>> Seth Hall
>>> International Computer Science Institute
>>> (Bro) because everyone has a network
>>> http://www.bro.org/
>>>
>>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150416/b67a46a2/attachment.html 