bro 2.5.4 Cannot Process PPPoE over QinQ Packets

Description

Hey!

When I use the following command to process the pcap file, bro cannot read the pcap and no packet-related log is generated.

bro -r ../QinQ.pcap.cap local "Log::default_rotation_interval = 1 day"

Just produced the following log:

capture_loss.log
loaded_scripts.2011-01-08-22-32-30.log
packet_filter.2011-01-08-22-32-30.log
reporter.log
stats.2011-01-08-22-32-30.log

Test packet download link:
http://packetlife.net/captures/QinQ.pcap.cap

Environment

CentOS Linux release 7.5.1804

Activity

Show:
Jon Siwek
July 3, 2018, 2:08 AM

The test packet just contains 2 ARP requests and Bro does not have any default scripts/logs for ARP. Though it does appear to correctly process past the QinQ VLAN tags because you can run Bro w/ your own ARP event handlers defined in a script. E.g.:

And running it in Bro:

ChenHui.Li
July 6, 2018, 6:45 PM

I am sorry for my carelessness. I provided QinQ.pcap.cap for convenience. I have uploaded my test packet.
Can you reopen this issue ?

Jon Siwek
July 6, 2018, 11:11 PM

Thanks, the problem wasn't QinQ by itself, which Bro could recognize, rather it was the combination of PPPoE over QinQ.

I've made a patch for merge consideration on git branch topic/jsiwek/bit-1950:

https://github.com/bro/bro/commit/ad9abd4c9b73a3d543df9463a9b1fe21ea9f3a56

ChenHui.Li
July 9, 2018, 1:23 PM

Thank you for your quick reply.

Merged

Assignee

Robin Sommer

Reporter

ChenHui.Li

Labels

External issue ID

None

Components

Affects versions

Priority

Normal