[Bro] problem of multi-interface monitor?

Ruoming Pang rpang at CS.Princeton.EDU
Thu Dec 30 10:53:31 PST 2004


On Dec 22, 2004, at 9:42 AM, 亮 李 wrote:

> Hello,
> when i execute "bro -i eth0 -i eth1 login.bro",bro only capture and  
> deal with packets from eth0 and drop all from eth1.
>  
> "1103734623.487821:ContentGap:NOTICE_ALARM_ALWAYS::192.168.10.10:2422/ 
> tcp:192.168.10.77:23/tcp::::::192.168.10.10/2422         >  
> 192.168.10.77/telnet content gap (> 69/11):"
>  
> after that,i emove "capture-filter ......" fom login.bro and try  
> again,bro can capture and do rightly.

What if you execute "bro -f '' ..." (which manually sets the filter to  
capture all packets)?

How about '-f "port telnet or tcp port 513"'?

Finally, without specifying the -f flag, what's the output if you print  
capture_filter in event bro_init()? Adding the following piece of code  
(to login.bro) will do:

event bro_init()
	{
	print fmt("%s", capture_filter);
	}

Ruoming
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 1002 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20041230/e7c8e7fe/attachment.bin 


More information about the Bro mailing list