[Bro] RHEL 4.0/endace 10GigE/Bro

Aashish Sharma aashish at uiuc.edu
Thu Feb 9 09:47:16 PST 2006 

Hello All: 

So I have been able to successfully compile and install bro on RHEL4.0 with dag support. Looks like bro is able to recognize DAG cards as well. 

There were multiple issues which I ended up fixing off-course with the help from this list. Thanks a lot.  

Just for future reference : 

1)  compile libpcap-0.9.4 (latest version which has DAG support) to enable DAG options 
	
	./configure --disable-localpcap --libdir=/usr/local/lib --with-dag=/usr/local/dag --prefix=/usr/local CFLAGS="-D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"

2) I removed "aux" from compilation list 

3) Compile bro with the following : 

	/configure '--disable-localpcap' '--enable-selectloop' '--prefix=/usr/local/bro' '--libdir=/usr/local/lib' CFLAGS='-I/usr/local/include' LDFLAGS='-L/usr/local/lib'


Bro installed successfully and starts/stops just fine but its not capturing any data so far.  I have defined dag0 and dag1 as capture interfaces in bro.cfg. 

The info.bro file is a little unusual. It does not pick up any capture filter. Is this normal for dag* interfaces ? Is there any default filter then ? If not, how can I fix this capture filter issue. 

I tried redefining capture filter in hostname.bro file in site folder but in vein. 

Here is the info.bro log : 

-------------------------------------------
listening on dag0
Bro Version: 1.0
Started with the following command line options:  -W -i dag0 -i dag1 mybrobox.bro
listening on dag1
Reading .state/state.bst ...
Capture filter: <not available>

--------------------------------------------

Any thoughts ?? 

Thanks a lot for all the help. 
Aashish 


On Wed, Feb 08, 2006 at 10:57:06AM -0800, Robin Sommer wrote:
> 
> On Tue, Feb 07, 2006 at 23:06 -0600, you wrote:
> 
> > Yes we would definately like to try your prototypical code for DAG
> > support. Can you please share it with us. 
> 
> Great! I think I need to get approval from Endace to give out the
> code (the API is subject to non-disclosure) but that shouldn't be a
> problem. I'll then update the code to the current devel version and
> send you a patch. You won't need much of documentation as it
> essentially just acts like any other device. You still need to
> setup the DAG card with the Endace tools though as that's not
> yet part of the code (the API for these things is undocumented). 
> 
> > Also, is there any specific manner to defie dag interfaces in
> > bro.cfg ? since dag interfaces don't behave like regular network
> > interfaces.  
> 
> Not sure if I understand what you mean. With the patch, you'll just
> use "dag0" as the capture device and Bro will figure out that it is
> a DAG card. When using the pcap wrapper, it should behave like any
> other pcap device, should it not?
> 
> > Also, I tried removing "-I../../include-linux" very coarsely by commenting the code in configure file.
> 
> Sorry, then this doesn't help. Was really just a guess as I remember
> having solved some similar problem once by getting rid of this -I.
> (For the pcap error, see my upcoming post to the list).
> 
> Robin
> 
> -- 
> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
> ICIR/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20060209/935b9984/attachment.bin

More information about the Bro mailing list