[Bro] [Fwd: Re: remote.bro]

[Christian Kreibich]

FYI, an update from Sandro.

-------- Forwarded Message --------
From: Sandro Reichert <sanreich at gmx.de>
To: Christian Kreibich <christian at whoop.org>
Subject: Re: [Bro] remote.bro
Date: Sun, 08 Oct 2006 15:42:11 +0200

Hi!

>> Im using Suse 10.0 on both machines. One Bro1.1 runs on PC 'A', the 
>> other on PC 'B' runs on VMware Server, because I started testing with 
>> our wireless 0.9a9 edition and we havnt finished the wireless patch
>> for 
>> 1.1 yet. It should be done within the next days.
>>
>> A: Suse 10.0 & Bro 1.1
>> B: Suse 10.0 & "Bro-wireless" 0.9a9
>>     VMware: Suse 10.0 Bro 1.1
> 
> so you have three Bro nodes? My guess is that the 0.9 one is causing the
> problem you're seeing.

The 0.9 is not included in the inter-bro communication, because it uses 
protocol version 4 and the 1.1 has version 5.  I use 0.9 only for 
testing new (local) wireless events and the two 1.1 for testing 
communication.

>> The config.h are equal on both machines.
> 
> Mhmmm are you sure about this? My guess is that on the 0.9 setup you
> need to add --enable-selectloop to the configure invocation. This
> ensures that events arriving from a remote Bro are treated with the same
> priority as observed packets. You can check whether that is the case by
> verifying that USE_SELECT_LOOP is defined in config.h after running
> configure.
> 
> If the two config.h files really are identical, I don't know what the
> problem might be...

I made a diff and both 1.1 config.h were identical.
Maybe, the problems are caused by VMware? As soon as our wireless-patch 
for 1.1 is finished, I'll install 1.1 on machine B without using VMware 
and tell u whether communication works better or not ;-)

Bye,
Sandro