[Bro] Protosig question, round 2

Zeolla@GMail.com zeolla at gmail.com
Fri Nov 4 14:38:36 PDT 2016


Right, I spoke to arista directly about that too.  On the bro side I asked
via my broala support contract.

Jon

On Fri, Nov 4, 2016, 17:19 Azoff, Justin S <jazoff at illinois.edu> wrote:

>
> > On Nov 4, 2016, at 4:59 PM, Zeolla at GMail.com <zeolla at gmail.com> wrote:
> >
> > I have the same interests but for vxlan encapsulated traffic.  Last I
> heard, no luck doing this with bro.  Have to decap upstream.
>
> I don't recall anyone ever asking about vxlan before.  I think it's a
> pretty trivial protocol to decode - look for udp 4789, skip 8 bytes, see if
> you have what looks like an ethernet frame.
>
> The main issue with that and things like fabric path is the encapsulation
> into a limited number of outer l3 headers can cause flow hashing to be
> useless making it hard to load balance the traffic.
>
> --
> - Justin Azoff
>
> --

Jon

Sent from my mobile device
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161104/f570f5c8/attachment-0001.html 


More information about the Bro mailing list