[Bro] is vlan bpf broken in bro
erik clark
philosnef at gmail.com
Wed Mar 29 07:17:56 PDT 2017
Per this thread:
http://serverfault.com/questions/544651/vlan-tags-not-shown-in-packet-capture-linux-via-tcpdump
tcpdump can't process vlan filters. Testing confirms this.
>From link:
tcpdump -i eth0 -Uw - | tcpdump -en -r - vlan 4
This works and displays only vlan 4 stuff. The reverse does not:
tcpdump -i eth0 -Uw - "vlan 4" |tcpdump -en -r -
This displays ALL vlans tagged in the traffic, and not just vlan 4.
This is on RHEL 7. Apparently there are some issues with x86_64 vlan
acceleration.
The short of it: Will bro respect vlan filters, or does it have the same
issue that tcpdump and libpcap seem to have?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170329/e5b51c27/attachment.html
More information about the Bro
mailing list