[Bro] bro09a[8-9] inline libpcap 8 file pb
rmkml
rmkml at free.fr
Sun Jul 3 14:03:56 PDT 2005
Hi,
First, I record pcap file idle : tcpdump -ni lo0 -w vide.pcap AND CTRL+C !
(this file size is 24 = no packet recorded, same with packet on file, bro
pb is not here)
ok run bro inline :
export BROPATH=/bropath/policy
export BRO_DNS_FAKE=1
bro -r ~/vide.pcap -r ~/vide.pcap -r ~/vide.pcap -r ~/vide.pcap -r
~/vide.pcap -r ~/vide.pcap -r ~/vide.pcap -r ~/vide.pcap bro.init mt
line 1: run-time error: precompile_pcap_filter: pcap_compile(((((((((tcp
port 113) or ((ip[6:2] & 0x3fff != 0) and tcp)) or (tcp[13] & 7 != 0)) or
(udp port 123)) or (port finger)) or (port ftp)) or (port telnet or tcp
port 513)) or (udp port 69)) or (port 111)): too many registers needed to
evaluate expression
can't compile filter ((((((((tcp port 113) or ((ip[6:2] & 0x3fff != 0) and
tcp)) or (tcp[13] & 7 != 0)) or (udp port 123)) or (port finger)) or (port
ftp)) or (port telnet or tcp port 513)) or (udp port 69)) or (port 111)
bro create idle file :
alarm.log
conn.log
ftp.log
notice.log
weird.log
bro have 8 file,
I don't have pb if only 7 pcap file
Im use bro on freebsd411 plateform.
Regards
Rmkml
More information about the Bro
mailing list