[Bro] Number of simultaneous pcap_open calls per interface
vern at icir.org
Wed Apr 21 22:48:09 PDT 2010
> Can anyone explain the number of, and reasoning behind, multiple
> pcap_open calls to the same interface ? Is one used for each type of
> analyzer ?
You should see at most two calls. One is for the main Bro processing,
and the second, if present, is for the "secondary filter". Unless you
went out of your way to instantiate the latter, it should only be active
if you did @load large-conns or @load secondary-filter . (You'll also
get this if you @load all , which is only meant for testing.)
If you're not doing that, then it's worth breakpointing the pcap_open
calls and sending along tracebacks from each of them.
More information about the Bro