[Bro] Protosig question, round 2

Azoff, Justin S jazoff at illinois.edu
Fri Nov 4 14:19:11 PDT 2016


> On Nov 4, 2016, at 4:59 PM, Zeolla at GMail.com <zeolla at gmail.com> wrote:
> 
> I have the same interests but for vxlan encapsulated traffic.  Last I heard, no luck doing this with bro.  Have to decap upstream.

I don't recall anyone ever asking about vxlan before.  I think it's a pretty trivial protocol to decode - look for udp 4789, skip 8 bytes, see if you have what looks like an ethernet frame.

The main issue with that and things like fabric path is the encapsulation into a limited number of outer l3 headers can cause flow hashing to be useless making it hard to load balance the traffic.

-- 
- Justin Azoff




More information about the Bro mailing list