[Bro] help required in logs with bro

Yagyesh Srivastava ysrivas at ncsu.edu
Wed Nov 23 14:01:48 PST 2016

By bro binary you mean " bro -i eth0" command?
I can see that when I give this command it's listening on eth0 interface.
It initially gave me a warning saying due to NIC checksum it is receiving
bad checksum packets so it will discard it.
So I ran the above command with -C option.
Is this what you were referring to?
Could you please help me understand what's the difference between this
command and broctl?

Thanks and regards

On Nov 23, 2016 4:54 PM, "anthony kasza" <anthony.kasza at gmail.com> wrote:

> Your VM may be using its loopback address for the connection to the local
> Apache server. If Bro is listening on eth0 (not the loopback interface) it
> won't see that traffic.
> As for the curl'ing of external sites, have you tried something basic like
> tcpdump just to make sure packets are moving? I'd also try running the Bro
> binary, without broctl, on an interface just to make sure Bro is compiled,
> happy, and seeing packets move.
> -AK
> On Nov 23, 2016 1:33 PM, "Yagyesh Srivastava" <ysrivas at ncsu.edu> wrote:
>> Hi,
>> I have downloaded bro and built it on a VM, using configure, make and
>> make install.
>> Then i ran broctl install and deploy.
>> when i run broctl using "sudo broctl start" and subsequently issue "sudo
>> broctl status", it shows bro running as standalone on localhost.
>> my /nsm/bro/etc/nod.cfg file has
>> type = standalone
>> host = localhost
>> interface = eth0
>> Now when i try to connect to internet using my vm browser
>> or i curl to localhost (which has apache server running and after making
>> node.cfg file to hear on interface loopback) in either of the cases i
>> cannot see any logs getting generated.
>> *can someone please help me with this issue?*I dont think bro is
>> sniffing on the correct interface , there is something trivial i am
>> guessing which is going wrong. Please provide any pointers if possible.
>> Thanks,
>> Yagyesh
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161123/62167bda/attachment.html 

More information about the Bro mailing list