expression rejects all packets
Vern Paxson
vern at ee.lbl.gov
Thu Sep 6 17:23:46 PDT 2001
> #./bro -i sk0 -i sk1 mt ncsa
> listening on sk0
> ./bro: problem with interface sk1 - pcap_compile((vlan) and (((((((((ip[6:2] &
> 0x3fff != 0) and tcp) or (tcp[13] & 0x7 != 0)) or (port finger)) or (tcp port
> 113)) or (port ftp)) or (port telnet or tcp port 513)) or (port 111)) or (udp
> port 123))): expression rejects all packets
>
> the contents of ncsa.bro are:
>
> redef restrict_filter = "vlan";
>
> it's weird it looks like the pcap expression compiles for one interface but
> not the second.
First thing to try is feeding the expression manually to tcpdump for each
of the interfaces, to see whether you get the same message.
I suspect the problem is that "vlan" expands into something equates with
"not ip", and so the conjunction is always false, since all of the other
expressions require "ip" to be true. I'm not sure how to fix this, as
my version of tcpdump/libpcap doesn't know about "vlan".
> for my
> purposes i don't need to look at the native VLAN since there is no traffic
> on it.)
Then wouldn't your filter be "not vlan" rather than "vlan"?
> in order to get this far i had to rearrange the order of capture_f and
> restrict_f in main.cc, i put restrict on the left and capture on the left.
> without doing that the expression wouldn't compile the pcap expression for
> the first interface.
That doesn't sound good - they're just a conjunction together, so pcap
should compile them in either order. I wonder if "vlan" is implemented
inside pcap as some sort of hack ...
Vern
More information about the Bro
mailing list