dump files, loopback

Vern Paxson vern at ee.lbl.gov
Tue Feb 13 01:55:40 PST 2001


> 	I've installed Bro on a machine with freeBSD4.2 ( libpcap0.5). Since
> I cannot connect the machine on the network where I am now, I would like
> test my policy. I've tried to start bro on the localhost interface. I am
> only using the standard conn.bro file modified a little bit : the only
> processing of event I do is to write the name of the event function. I works
> with bro_init(). But nothing is logged ( I am not using the log module so it
> shoult appear in my terminal), but tcpdump 'sees' the traffic (telnet and
> ftp on localhost). 
> 	I've also tried to read from a dump file of tcpdump (tcpdump -i lo0
> -w filename), but I get this kind of output :
> 	...
> 	weird: 981105864.406810 bad_IP_cheksum

The problem is likely in PktSrc::SetHdrSize(), which is hardwired to know
about a few interface types.  Presumably libpcap returns DLT_NULL for
the loopback interface.  The code currently sets the header length to 4 bytes
for that type.  Perhaps this has changed under FreeBSD (or never worked).

		Vern



More information about the Bro mailing list