policy/frameworks/conn_key/vlan_fivetuple.zeek

This script adapts Zeek’s connection key to include 802.1Q VLAN and Q-in-Q tags, when available. Zeek normally ignores VLAN tags for connection lookups; this change makes it factor them in and also makes those VLAN tags part of the conn_id record.

Summary

Redefinitions

`ConnKey::factory`: `ConnKey::Tag` `&redef`
`conn_id_ctx`: `record`	New Fields: `conn_id_ctx` vlan: `int` `&log` `&optional` The outer VLAN for this connection, if applicable. inner_vlan: `int` `&log` `&optional` The inner VLAN for this connection, if applicable.

Detailed Interface