[Bro-Dev] [JIRA] (TM-16) Index not working when traffic encapsulated in 802.1q trunk
tyler.schoenke (JIRA)
jira at bro-tracker.atlassian.net
Mon Dec 2 10:38:45 PST 2013
tyler.schoenke created TM-16:
--------------------------------
Summary: Index not working when traffic encapsulated in 802.1q trunk
Key: TM-16
URL: https://bro-tracker.atlassian.net/browse/TM-16
Project: Time Machine
Issue Type: Problem
Affects Versions: git/master
Environment: Ubuntu 10.04 , pf_ring
Reporter: tyler.schoenke
Hi All,
When I query the time machine index, I am not receiving any results.
I just restarted time machine, and checked one of the recent class files to see there is traffic for a particular IP address.
tcpdump -e -v -n -r class_all_1385406639.023206 "vlan and host 128.138.44.198"
It shows some traffic, example:
128.138.44.198.54014 > 74.125.225.209.443: Flags [.], cksum 0x8d2c (correct), seq 1283940799:1283940800, ack 615539104, win 16311, length 1
19:11:00.571731632 10:8c:cf:57:46:00 > 00:1d:09:6a:d9:a9, ethertype 802.1Q (0x8100), length 70: vlan 987, p 0, ethertype IPv4, (tos 0x0, ttl 56, id 17482, offset 0, flags [none], proto TCP (6), length 52)
When I telnet localhost 42042 and run the following command, I don't receive any results.
query to_file "128.138.44.198.pcap" index ip "128.138.44.198"
In the above tcpdump, you can see my traffic is 802.1Q trunked. I have to use the "vlan" BPF to extract it with tcpdump, and am wondering if the trunking is causing problems with indexing?
I tested the same version of time machine on non-trunked traffic, and the index works fine.
Let me know if you need any other configuration info.
Tyler
--
This message was sent by Atlassian JIRA
(v6.2-OD-03#6206)
More information about the bro-dev
mailing list