[Bro] Bro decapsulating ERSPAN (GRE)
Jon Siwek
jsiwek at corelight.com
Wed Oct 31 14:32:32 PDT 2018
On Wed, Oct 31, 2018 at 1:07 PM Jon Siwek <jsiwek at corelight.com> wrote:
>
> On Wed, Oct 31, 2018 at 12:40 PM Matt Thoreson
> <matt.thoreson at summitinfosec.com> wrote:
>
> > I thought Bro could by default recognize and decapsulate the real traffic from the GRE tunnel (according to the bro notes it should be able to do this) but so far when bro runs it just sees the gre traffic in it's weird.log.
>
> It currently only handles a few GRE protocol types, and doesn't seem
> the ERSPAN ones are among them.
To clarify that further: I totally missed that the changelog does say
ERSPAN support was implemented, but I was just looking at the actual
code, which does not seem to handle ERSPAN Type II or III (protocol
types 0x88BE, 0x22EB). The associated commit seems to instead handle
Transparent Ethernet Bridging (protocol type 0x6558). Not sure if I'm
missing something. Or if you can give a pcap to test against, that
could help to verify what's going and also serve as test case for
fixing anything that's broken/unimplemented in Bro.
- Jon
More information about the Bro
mailing list