[Bro] Problem: Bro listening on two ethernet interfaces

Christian Kreibich christian at whoop.org
Mon May 23 12:19:12 PDT 2005

Hi Christoph,

On Mon, 2005-05-23 at 17:54 +0100, Christoph Goeldi wrote:
> I found a small C-program that allows to listen on multiple interfaces and to
> write the captured packets to a file:
> http://www.isi.edu/~hussain/software/snoop.c
> And it works!!!
> I'm really not (yet) the pcap-crack. Does somebody know what's the difference
> between this program and the bro implementation?

I had a quick look at snoop.c and it basically does the most
straightforward thing for the task: a select() on the file descriptors
associated with the pcap handles of the interfaces.

Bro's approach is somewhat more involved because you cannot afford a
per-packet select() call on a busy link (see Robin's comments in
IOSource.cc). Maybe IOSourceRegistry::FindSoonest() would be a good
place to start digging.

> I really appreciate any help.

I'm sorry I can't help any further regarding this -- if you're on Linux,
have you tried letting the kernel sort this out and just use the "any"
interface (I forget whether this has been proposed in this thread


More information about the Bro mailing list