Bro 0.8 and vlans

Vern Paxson vern at icir.org
Thu Feb 6 22:02:19 PST 2003 

>    in my policy file: redef restrict_filter = "vlan";

Oops.  Unfortunately, "vlan" is a hack bolted onto tcpdump/libpcap.
I discussed bugs in it that Bro tickled with Bill Fenner a while ago.
Here's the tail end of that thread, which included a patch that worked for
one of your NCSA colleagues.

>    no problem.  tcpdump works fine with the above expression.. seems to work :)
> 
>    so now, in bro, I use the redef capture_filter = <above expression>

There were also some related problems with Bro reading from multiple
interfaces, because the vlan keyword diddles the hdr_size in a non-reentrant
way (or at least it used to), but I don't know if that's what's tripping
you up or not.

Does Bro work okay for you w/o the "vlan"?

		Vern


Date:  Mon, 5 Nov 2001 00:02:49 -0600
From:  Jon Dugan <jdugan at ncsa.uiuc.edu>
Subject:  Re: expression rejects all packets
To:  Bill Fenner <fenner at research.att.com>
Cc:  vern at ee.lbl.gov, tony at ncsa.uiuc.edu
X-Envelope-From:  jdugan at ncsa.uiuc.edu
Resent-To:  fenner at research.att.com, vern at ee.lbl.gov

Bill,

  Well, I finally got a chance to try this patch -- it does indeed fix the
  problem.

  Thanks!

On Wed, Sep 12, 2001 at 08:47:34PM -0700, Bill Fenner wrote:
> 
> Here's a not very elegant patch to try; it fixes the multiple compilation
> problem in my test program (not bro, just a filter expression tester).
> 
>   Bill
> 

> Index: gencode.c
> ===================================================================
> RCS file: /tcpdump/master/libpcap/gencode.c,v
> retrieving revision 1.157
> diff -u -r1.157 gencode.c
> --- gencode.c	2001/07/03 19:15:47	1.157
> +++ gencode.c	2001/09/13 03:36:41
> @@ -78,6 +78,9 @@
>  static jmp_buf top_ctx;
>  static pcap_t *bpf_pcap;
>  
> +/* Hack for updating VLAN offsets. */
> +static u_int	orig_linktype = -1, orig_nl = -1;
> +
>  /* XXX */
>  #ifdef PCAP_FDDIPAD
>  int	pcap_fddipad = PCAP_FDDIPAD;
> @@ -551,6 +554,9 @@
>  {
>  	linktype = type;
>  
> +	orig_linktype = -1;
> +	orig_nl = -1;
> +
>  	switch (type) {
>  
>  	case DLT_ARCNET:
> @@ -3873,7 +3879,6 @@
>  gen_vlan(vlan_num)
>  	int vlan_num;
>  {
> -	static u_int	orig_linktype = -1, orig_nl = -1;
>  	struct	block	*b0;
>  
>  	/*


-- 
Jon Dugan             |  Senior Network Engineer, NCSA Network Development
jdugan at ncsa.uiuc.edu  |  269 CAB, 605 E Springfield, Champaign, IL 61820
217-244-7715          |  http://www.ncsa.uiuc.edu/people/jdugan

More information about the Bro mailing list