[Bro] Protosig question, round 2
Azoff, Justin S
jazoff at illinois.edu
Fri Nov 4 14:19:11 PDT 2016
> On Nov 4, 2016, at 4:59 PM, Zeolla at GMail.com <zeolla at gmail.com> wrote:
>
> I have the same interests but for vxlan encapsulated traffic. Last I heard, no luck doing this with bro. Have to decap upstream.
I don't recall anyone ever asking about vxlan before. I think it's a pretty trivial protocol to decode - look for udp 4789, skip 8 bytes, see if you have what looks like an ethernet frame.
The main issue with that and things like fabric path is the encapsulation into a limited number of outer l3 headers can cause flow hashing to be useless making it hard to load balance the traffic.
--
- Justin Azoff
More information about the Bro
mailing list