[Bro] problem of multi-interface monitor?

Vern Paxson vern at icir.org
Tue Dec 28 00:08:50 PST 2004


> when i execute "bro -i eth0 -i eth1 login.bro",bro only capture and deal
> with packets from eth0 and drop all from eth1.

I'm unable to reproduce this problem.  That is, I'm able to run Bro on
two interfaces and, regardless of the order of the two, it always sees
their traffic.

Are your two interfaces identical?  (Same link layer type, neither vlan'd.)

> "1103734623.487821:ContentGap:NOTICE_ALARM_ALWAYS::192.168.10.10:2422/tcp:192.168.10.77:23/tcp::::::192.168.10.10/2422         > 192.168.10.77/telnet content gap (> 69/11):"
>  
> after that,i emove "capture-filter ......" fom login.bro and try again,bro can capture and do rightly.

What does "do rightly" mean here?  That without the capture_filters in
login.bro, using both interfaces works correctly?

What happens if you trace each interface at the same time using
tcpdump -s 0, and then replay the traces using bro -r trace0 -r trace1 .... ?

		Vern



More information about the Bro mailing list