[Bro-Dev] Pktsrc prefix separator (Re: [JIRA] (BIT-1267) packet source prefix separator in node.cfg breaks broctl)

Daniel Thayer dnthayer at illinois.edu
Thu Oct 2 08:56:14 PDT 2014


On 10/02/2014 10:45 AM, Robin Sommer wrote:
> (Taking this to bro-dev for discussion.)
>
> On Wed, Oct 01, 2014 at 22:31 -0500, Daniel wrote for
> https://bro-tracker.atlassian.net/browse/BIT-1267:
>
>> Using a different class (instead of SafeConfigParser) from the
>> ConfigParser module seems to fix the problem.
>
> Seems I hit another prefix separator that already had a meaning. :)
>
> SafeConfigParser implements some interpolation features using % as the
> control character. I don't think we're using that anywhere, so it
> might be fine; on the other hand the docs say:
>
>      Derived class of ConfigParser that implements a more-sane variant
>      of the magical interpolation feature. This implementation is more
>      predictable as well. New applications should prefer this version
>      if they don’t need to be compatible with older versions of
>      Python."
>
> So we can either ignore that, or change the prefix separator once
> more. If we did the latter, any idea what would be a good one? As a
> reminder, the problem is specifying the packet source plugin to use
> with an interface, e.g., currently you'd say "-i netmap%eth1" to
> monitor eth1 via the netmap plugin. It used to be "-i netmap:eth1" but
> that conflicts with some BPF devices that use the colon already. So,
> what would be better than ':' or '%', both visually and in terms of
> not conflicting with existing interface naming conventions?
>
> Robin

Just out of curiosity, I'm wondering why it was implemented as a
prefix to the interface name, as opposed to just specifying
the packet source with a different cmd-line option?
(for example:  bro --pktsrc netmap -i eth0)

Is it expected that someone will want to do something
like this:   bro -i netmap:eth0 -i pcap:eth1


More information about the bro-dev mailing list