[Bro] Bro 1.5.1, FreeBSD, Mirror-Port questions
ml at grid.einherjar.de
Thu Jun 3 15:05:49 PDT 2010
> Hello List,
> Currently we need to move BRO to other box where it will monitor the
> network on a mirror/monitor-port and not as now on a transparent bridge.
> We configured a mirror/monitor port on our network equipment, we have an
> gigabit interface without an IP-Address where all traffic is monitored.
It seems that the problem lays on the network - I can not see in example
SYN+ACK packets on the mirror port.
I made tcpdump-traces at both points - bridge and mirroring-port of the
same connection and ran bro on it.
-- on mirroring-port
1275600294.796861 2.990471 62.xx.xx.xx 10.20.20.54 ssh 54305 22 tcp 1636
? SH X cc=1
1275600303.621237 ? 62.xx.xx.xx 10.20.20.54 ssh 55537 22 tcp ? ? S0 X cc=1
-- same connection on bridge
1275599866.464086 2.992575 62.xx.xx.xx 10.20.20.54 ssh 54305 22 tcp 1637
2120 SF X
Sorry for the 'false-alarm'.
More information about the Bro