[Bro] erspan decapsulation

Seth Hall seth at icir.org
Thu Apr 16 13:15:25 PDT 2015


> On Apr 16, 2015, at 3:57 AM, Giedrius Ramas <giedrius.ramas at gmail.com> wrote:
> 
> Thanks for reply, 
> I just figure out that I need to skip some bytes of package header. In my current case I need to skip 22 bytes. So I edited ini-bare.bro file and changed encap_hdr_size = 0 line to encap_hdr_size = 22 . BRO can now understand traffic. Do not know  if I made a correct fix. Let me know if it is not a right way to do . 

Ideally we’d just support ERSPAN natively, but there’s nothing wrong with your solution.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/




More information about the Bro mailing list