When I use the following command to process the pcap file, bro cannot read the pcap and no packet-related log is generated.
bro -r ../QinQ.pcap.cap local "Log::default_rotation_interval = 1 day"
Just produced the following log:
Test packet download link:
CentOS Linux release 7.5.1804
The test packet just contains 2 ARP requests and Bro does not have any default scripts/logs for ARP. Though it does appear to correctly process past the QinQ VLAN tags because you can run Bro w/ your own ARP event handlers defined in a script. E.g.:
And running it in Bro:
I am sorry for my carelessness. I provided QinQ.pcap.cap for convenience. I have uploaded my test packet.
Can you reopen this issue ?
Thanks, the problem wasn't QinQ by itself, which Bro could recognize, rather it was the combination of PPPoE over QinQ.
I've made a patch for merge consideration on git branch topic/jsiwek/bit-1950:
Thank you for your quick reply.