[Bro] RHEL 4.0/endace 10GigE/Bro
aashish at uiuc.edu
Thu Feb 9 09:47:16 PST 2006
So I have been able to successfully compile and install bro on RHEL4.0 with dag support. Looks like bro is able to recognize DAG cards as well.
There were multiple issues which I ended up fixing off-course with the help from this list. Thanks a lot.
Just for future reference :
1) compile libpcap-0.9.4 (latest version which has DAG support) to enable DAG options
./configure --disable-localpcap --libdir=/usr/local/lib --with-dag=/usr/local/dag --prefix=/usr/local CFLAGS="-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
2) I removed "aux" from compilation list
3) Compile bro with the following :
/configure '--disable-localpcap' '--enable-selectloop' '--prefix=/usr/local/bro' '--libdir=/usr/local/lib' CFLAGS='-I/usr/local/include' LDFLAGS='-L/usr/local/lib'
Bro installed successfully and starts/stops just fine but its not capturing any data so far. I have defined dag0 and dag1 as capture interfaces in bro.cfg.
The info.bro file is a little unusual. It does not pick up any capture filter. Is this normal for dag* interfaces ? Is there any default filter then ? If not, how can I fix this capture filter issue.
I tried redefining capture filter in hostname.bro file in site folder but in vein.
Here is the info.bro log :
listening on dag0
Bro Version: 1.0
Started with the following command line options: -W -i dag0 -i dag1 mybrobox.bro
listening on dag1
Reading .state/state.bst ...
Capture filter: <not available>
Any thoughts ??
Thanks a lot for all the help.
On Wed, Feb 08, 2006 at 10:57:06AM -0800, Robin Sommer wrote:
> On Tue, Feb 07, 2006 at 23:06 -0600, you wrote:
> > Yes we would definately like to try your prototypical code for DAG
> > support. Can you please share it with us.
> Great! I think I need to get approval from Endace to give out the
> code (the API is subject to non-disclosure) but that shouldn't be a
> problem. I'll then update the code to the current devel version and
> send you a patch. You won't need much of documentation as it
> essentially just acts like any other device. You still need to
> setup the DAG card with the Endace tools though as that's not
> yet part of the code (the API for these things is undocumented).
> > Also, is there any specific manner to defie dag interfaces in
> > bro.cfg ? since dag interfaces don't behave like regular network
> > interfaces.
> Not sure if I understand what you mean. With the patch, you'll just
> use "dag0" as the capture device and Bro will figure out that it is
> a DAG card. When using the pcap wrapper, it should behave like any
> other pcap device, should it not?
> > Also, I tried removing "-I../../include-linux" very coarsely by commenting the code in configure file.
> Sorry, then this doesn't help. Was really just a guess as I remember
> having solved some similar problem once by getting rid of this -I.
> (For the pcap error, see my upcoming post to the list).
> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
> ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 307 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060209/935b9984/attachment.bin
More information about the Bro