[Bro] problem of multi-interface monitor?
Ruoming Pang
rpang at CS.Princeton.EDU
Thu Dec 30 10:53:31 PST 2004
On Dec 22, 2004, at 9:42 AM, 亮 李 wrote:
> Hello,
> when i execute "bro -i eth0 -i eth1 login.bro",bro only capture and
> deal with packets from eth0 and drop all from eth1.
>
> "1103734623.487821:ContentGap:NOTICE_ALARM_ALWAYS::192.168.10.10:2422/
> tcp:192.168.10.77:23/tcp::::::192.168.10.10/2422 >
> 192.168.10.77/telnet content gap (> 69/11):"
>
> after that,i emove "capture-filter ......" fom login.bro and try
> again,bro can capture and do rightly.
What if you execute "bro -f '' ..." (which manually sets the filter to
capture all packets)?
How about '-f "port telnet or tcp port 513"'?
Finally, without specifying the -f flag, what's the output if you print
capture_filter in event bro_init()? Adding the following piece of code
(to login.bro) will do:
event bro_init()
{
print fmt("%s", capture_filter);
}
Ruoming
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 1002 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20041230/e7c8e7fe/attachment.bin
More information about the Bro
mailing list