[Bro] Problem: Bro listening on two ethernet interfaces

Christoph Göldi goeldich at ee.ethz.ch
Mon May 23 13:41:21 PDT 2005

Hi Christian

>> I found a small C-program that allows to listen on multiple interfaces
>> and to write the captured packets to a file:
>> http://www.isi.edu/~hussain/software/snoop.c
>> And it works!!!
>> I'm really not (yet) the pcap-crack. Does somebody know what's the
>> difference between this program and the bro implementation?
> I had a quick look at snoop.c and it basically does the most
> straightforward thing for the task: a select() on the file descriptors
> associated with the pcap handles of the interfaces.
> Bro's approach is somewhat more involved because you cannot afford a
> per-packet select() call on a busy link (see Robin's comments in
> IOSource.cc). Maybe IOSourceRegistry::FindSoonest() would be a good
> place to start digging.

Okay. I'll try to figure out more about this ominous select().

>> I really appreciate any help.
> I'm sorry I can't help any further regarding this -- if you're on Linux,
> have you tried letting the kernel sort this out and just use the "any"
> interface (I forget whether this has been proposed in this thread
> before)?

I'll try the any interface tomorrow. But it wouldn't solve my problems
anyway because I want to specifically select the observed interfaces and
not capture the packets of all interfaces of this host.

Thanks for your help.

More information about the Bro mailing list