[Bro] Quick af_packet question
James Lay
jlay at slave-tothe-box.net
Fri Dec 16 08:51:30 PST 2016
So far my testing says yes:
09:30:56 @tester:/opt/bro/spool$] sudo bro -C -i af_packet::eth0:wlan0
listening on eth0:wlan0
eth0 Link encap:Ethernet HWaddr 00:1f:f3:46:62:ca
inet addr:192.168.1.7 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::21f:f3ff:fe46:62ca/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:434251 errors:0 dropped:59 overruns:0 frame:0
TX packets:261164 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:600874115 (600.8 MB) TX bytes:70240696 (70.2 MB)
Interrupt:16
wlan0 Link encap:Ethernet HWaddr 00:23:6c:7b:29:1d
inet addr:192.168.1.60 Bcast:192.168.1.255
Mask:255.255.255.0
inet6 addr: fe80::223:6cff:fe7b:291d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:74 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10726 (10.7 KB) TX bytes:1820 (1.8 KB)
ssh.log:
1481906017.175240 CWWs1B3RQhgUy1QqT2 192.168.1.2 45480
192.168.1.7 22 2 T 1 -
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 SSH-2.0-OpenSSH_7.2p2
Ubuntu-4ubuntu2.1 chacha20-poly1305 at openssh.com
umac-64-etm at openssh.com none curve25519-sha256 at libssh.org ssh-rsa
1481906687.051242 CfvBJT3Gs2r7YAX2n1 192.168.1.2 34956
192.168.1.60 22 2 T 1 -
SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 SSH-2.0-OpenSSH_7.2p2
Ubuntu-4ubuntu2.1 chacha20-poly1305 at openssh.com
umac-64-etm at openssh.com none curve25519-sha256 at libssh.org ssh-rsa
but wanting to verify. Thank you.
James
On 2016-12-16 09:35, James Lay wrote:
> Love the plugin thanks...quick question for cli...does af_packet need
> -i
> for multiple interfaces, or can it be used like snort with
> af_packet::eth0:eth1? Thank you.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list