Bro 0.8 and vlans

Mike Haberman mikeh at ncsa.uiuc.edu
Mon Feb 3 17:12:31 PST 2003


   Hi,

   I'm a recent subscriber, so if this has been covered, please point me.

   I am working on getting bro bro-pub-0.8a20 up and running on freebsd box.
   We have bro-pub-0.7a90 running using an old hacked version of libpcap 
   to handle vlans.

   Anyway, I've updated to 0.7 of libpcap and compiled bro 0.8.

   in my policy file: redef restrict_filter = "vlan";

   so my resulting filter is
   (((((((((((ip[6:2] & 0x3fff != 0) and tcp) or (tcp[13] & 7 != 0)) or (port finger)) or (tcp port 113)) or (port ftp)) or (port telnet or tcp port 513)) or (port 111)) or (udp port 123)) or (udp port 69)) and vlan) 
   libpcap promptly complains: expression rejects all packets

   however if I rephrase it to be:
   (vlan and ((((((((((ip[6:2] & 0x3fff != 0) and tcp) or (tcp[13] & 7 != 0)) or (port finger)) or (tcp port 113)) or (port ftp)) or (port telnet or tcp port 513)) or (port 111)) or (udp port 123)) or (udp port 69))) 
   no problem.  tcpdump works fine with the above expression.. seems to work :)

   so now, in bro, I use the redef capture_filter = <above expression>

   bro runs, but no packets are being captured.
   (i.e bro -w tcp policyFile; the tcp file is empty)

   I also updated the PktSrc::SetHdrSize() to be
       DLT_EN10MB:
          hdr_size = 18; /* it was 14 */
   but still no luck..

   can anyone help me out??


   thanks a ton,

   mike haberman
   NCSA


   



More information about the Bro mailing list