[Bro] Problem: Bro listening on two ethernet interfaces
Christoph Göldi
goeldich at ee.ethz.ch
Mon May 23 13:41:21 PDT 2005
Hi Christian
>> I found a small C-program that allows to listen on multiple interfaces
>> and to write the captured packets to a file:
>> http://www.isi.edu/~hussain/software/snoop.c
>>
>> And it works!!!
>> I'm really not (yet) the pcap-crack. Does somebody know what's the
>> difference between this program and the bro implementation?
>
> I had a quick look at snoop.c and it basically does the most
> straightforward thing for the task: a select() on the file descriptors
> associated with the pcap handles of the interfaces.
>
> Bro's approach is somewhat more involved because you cannot afford a
> per-packet select() call on a busy link (see Robin's comments in
> IOSource.cc). Maybe IOSourceRegistry::FindSoonest() would be a good
> place to start digging.
Okay. I'll try to figure out more about this ominous select().
>> I really appreciate any help.
>
> I'm sorry I can't help any further regarding this -- if you're on Linux,
> have you tried letting the kernel sort this out and just use the "any"
> interface (I forget whether this has been proposed in this thread
> before)?
I'll try the any interface tomorrow. But it wouldn't solve my problems
anyway because I want to specifically select the observed interfaces and
not capture the packets of all interfaces of this host.
Thanks for your help.
Cheers
Christoph
More information about the Bro
mailing list