[Bro] Quick af_packet question

James Lay jlay at slave-tothe-box.net
Fri Dec 16 10:03:44 PST 2016 

Does not appear to decode pppoe however :(

On 2016-12-16 09:51, James Lay wrote:
> So far my testing says yes:
> 
> 09:30:56 @tester:/opt/bro/spool$] sudo bro -C -i af_packet::eth0:wlan0
> listening on eth0:wlan0
> 
> eth0      Link encap:Ethernet  HWaddr 00:1f:f3:46:62:ca
>            inet addr:192.168.1.7  Bcast:192.168.1.255  
> Mask:255.255.255.0
>            inet6 addr: fe80::21f:f3ff:fe46:62ca/64 Scope:Link
>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>            RX packets:434251 errors:0 dropped:59 overruns:0 frame:0
>            TX packets:261164 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:1000
>            RX bytes:600874115 (600.8 MB)  TX bytes:70240696 (70.2 MB)
>            Interrupt:16
> 
> wlan0     Link encap:Ethernet  HWaddr 00:23:6c:7b:29:1d
>            inet addr:192.168.1.60  Bcast:192.168.1.255
> Mask:255.255.255.0
>            inet6 addr: fe80::223:6cff:fe7b:291d/64 Scope:Link
>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>            RX packets:74 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:1000
>            RX bytes:10726 (10.7 KB)  TX bytes:1820 (1.8 KB)
> 
> ssh.log:
> 1481906017.175240       CWWs1B3RQhgUy1QqT2      192.168.1.2   45480
> 192.168.1.7     22      2       T       1       -
> SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8       SSH-2.0-OpenSSH_7.2p2
> Ubuntu-4ubuntu2.1 chacha20-poly1305 at openssh.com
> umac-64-etm at openssh.com none    curve25519-sha256 at libssh.org    ssh-rsa
> 
> 1481906687.051242       CfvBJT3Gs2r7YAX2n1      192.168.1.2   34956
> 192.168.1.60    22      2       T       1       -
> SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8       SSH-2.0-OpenSSH_7.2p2
> Ubuntu-4ubuntu2.1 chacha20-poly1305 at openssh.com
> umac-64-etm at openssh.com none    curve25519-sha256 at libssh.org    ssh-rsa
> 
> but wanting to verify.  Thank you.
> 
> James
> 
> On 2016-12-16 09:35, James Lay wrote:
>> Love the plugin thanks...quick question for cli...does af_packet need
>> -i
>> for multiple interfaces, or can it be used like snort with
>> af_packet::eth0:eth1?  Thank you.
>> 
>> James
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list