[Bro] Problem: Bro listening on two ethernet interfaces
Christian Kreibich
christian at whoop.org
Mon May 23 12:19:12 PDT 2005
Hi Christoph,
On Mon, 2005-05-23 at 17:54 +0100, Christoph Goeldi wrote:
>
> I found a small C-program that allows to listen on multiple interfaces and to
> write the captured packets to a file:
> http://www.isi.edu/~hussain/software/snoop.c
>
> And it works!!!
> I'm really not (yet) the pcap-crack. Does somebody know what's the difference
> between this program and the bro implementation?
I had a quick look at snoop.c and it basically does the most
straightforward thing for the task: a select() on the file descriptors
associated with the pcap handles of the interfaces.
Bro's approach is somewhat more involved because you cannot afford a
per-packet select() call on a busy link (see Robin's comments in
IOSource.cc). Maybe IOSourceRegistry::FindSoonest() would be a good
place to start digging.
> I really appreciate any help.
I'm sorry I can't help any further regarding this -- if you're on Linux,
have you tried letting the kernel sort this out and just use the "any"
interface (I forget whether this has been proposed in this thread
before)?
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list