[Bro] Pcap Buffer = 0
Scott Sakai
ssakai at sdsc.edu
Thu Jun 16 12:28:11 PDT 2011
Hi Chuck,
Just a thought: Is the traffic that you're (not) capturing vlan tagged?
tcpdump with the '-e' argument and no filter will tell you for sure.
If so, you need to load the vlan policy, otherwise libpcap will apply the
filter rules to the wrong frame offsets.
On 06/16/2011 10:08 AM, Chuck Little wrote:
> Output:
>
> [rigel /raid/bro/bin]# ./broctl capstats
>
> Interface kpps mbps (10s average)
> ------------------------------
> rigel-igb0 0.0 0.0
> rigel-igb1 39.7 147.0
> rigel-igb2 19.2 96.7
> rigel-igb3 24.1 137.3
> rigel-igb4 0.0 0.0
> rigel-igb5 0.0 0.0
>
> Total 83.0 381.0
>
>
> -Chuck
>
> On 6/16/11 11:02 AM, Justin Azoff wrote:
>> On Thu, Jun 16, 2011 at 12:26:24PM -0400, Chuck Little wrote:
>>> I have a fresh Bro-IDS install (ver 1.5.3), but I'm not really capturing
>>> traffic. I know I'm missing something (config setting, etc) but am
>>> unsure what it is. I consulted teh Google but didn't have much luck.
>>> Could someone provide some insight/advice? Thanks!
>>>
>>> -Chuck
>>
>> Does broctl capstats show your interfaces receiving packets?
>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Scott Sakai
Security Analyst
San Diego Supercomputer Center
ssakai at sdsc.edu
+1-858-822-0851
More information about the Bro
mailing list