[Bro] LogExpireInterval not respected?
Daniel Thayer
dnthayer at illinois.edu
Wed Feb 13 15:25:49 PST 2013
On 02/13/2013 11:55 AM, Jesse Bowling wrote:
>
>
> On Wed, Feb 13, 2013 at 12:46 PM, Seth Hall <seth at icir.org
> <mailto:seth at icir.org>> wrote:
>
>
> On Feb 13, 2013, at 12:30 PM, Jesse Bowling <jessebowling at gmail.com
> <mailto:jessebowling at gmail.com>> wrote:
>
> > I can surmise the problem: Because my interface specification
> requires the use of ';', bash is breaking the command up before it
> should and capstats doesn't know it should quit...The format I'm
> using (p2p1;p2p2;p2p3;p2p4) is making use of PF_RING to listen to
> all these interfaces simultaneously. For snort I have to quote it to
> prevent it being broken up and I suspected something similar is
> required here as well.
>
> Woah! PF_RING lets you sniff multiple interfaces that way? If you
> give that same value to tcpdump (while using the pf_ring libpcap
> wrapper) does it work there too?
>
> .Seth
>
>
> That is my understanding. Anything built against PF_RING's libpcap can
> use the notation...However, now that I've put it out on the internet and
> it's not apparently common knowledge, I'm doubting myself... ;)
>
> As a reference, straight from (one of) the horses mouths:
> http://lists.ntop.org/pipermail/ntop-misc/2012-August/003128.html
>
> Cheers,
>
> Jesse
I'm curious how you're getting things working with semicolons in the
interface name. Do you have a line like this in your node.cfg:
interface=p2p1;p2p2;p2p3;p2p4
More information about the Bro
mailing list