[Bro] Problem: Bro listening on two ethernet interfaces
goeldich at ee.ethz.ch
Mon May 23 13:41:21 PDT 2005
>> I found a small C-program that allows to listen on multiple interfaces
>> and to write the captured packets to a file:
>> And it works!!!
>> I'm really not (yet) the pcap-crack. Does somebody know what's the
>> difference between this program and the bro implementation?
> I had a quick look at snoop.c and it basically does the most
> straightforward thing for the task: a select() on the file descriptors
> associated with the pcap handles of the interfaces.
> Bro's approach is somewhat more involved because you cannot afford a
> per-packet select() call on a busy link (see Robin's comments in
> IOSource.cc). Maybe IOSourceRegistry::FindSoonest() would be a good
> place to start digging.
Okay. I'll try to figure out more about this ominous select().
>> I really appreciate any help.
> I'm sorry I can't help any further regarding this -- if you're on Linux,
> have you tried letting the kernel sort this out and just use the "any"
> interface (I forget whether this has been proposed in this thread
I'll try the any interface tomorrow. But it wouldn't solve my problems
anyway because I want to specifically select the observed interfaces and
not capture the packets of all interfaces of this host.
Thanks for your help.
More information about the Bro