[Bro] erspan decapsulation
Seth Hall
seth at icir.org
Thu Apr 16 13:15:25 PDT 2015
> On Apr 16, 2015, at 3:57 AM, Giedrius Ramas <giedrius.ramas at gmail.com> wrote:
>
> Thanks for reply,
> I just figure out that I need to skip some bytes of package header. In my current case I need to skip 22 bytes. So I edited ini-bare.bro file and changed encap_hdr_size = 0 line to encap_hdr_size = 22 . BRO can now understand traffic. Do not know if I made a correct fix. Let me know if it is not a right way to do .
Ideally we’d just support ERSPAN natively, but there’s nothing wrong with your solution.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list