[Bro] Quick af_packet question

James Lay jlay at slave-tothe-box.net
Sun Dec 18 05:04:40 PST 2016


Thanks Jan....those were my final results as well.
James
On Sat, 2016-12-17 at 23:08 +0100, Jan Grashöfer wrote:
> Hi James,
> 
> to be honest, I don't know that interfaceA:interfaceB notation at
> all.
> Doing a quick search it seems related to running snort inline.
> Actually,
> I don't think AF_Packet can be used to capture from two different
> interfaces using a single instance of Bro. But, running a cluster one
> could setup a worker per interface using AF_Packet. The latest
> version
> of the plugin contains an additional broctl-plugin to allow
> specifying
> the necessary parameters (workers will need different fanout_ids, see
> https://bro-tracker.atlassian.net/browse/BIT-1747). The README was
> extended as well to provide some information on how to setup Bro and
> AF_Packet using broctl.
> 
> Hope that helps,
> Jan
> 
> > 
> > Does not appear to decode pppoe however :(
> > 
> > On 2016-12-16 09:51, James Lay wrote:
> > > 
> > > So far my testing says yes:
> > > 
> > > 09:30:56 @tester:/opt/bro/spool$] sudo bro -C -i
> > > af_packet::eth0:wlan0
> > > listening on eth0:wlan0
> > > 
> > > eth0      Link encap:Ethernet  HWaddr 00:1f:f3:46:62:ca
> > >            inet addr:192.168.1.7  Bcast:192.168.1.255  
> > > Mask:255.255.255.0
> > >            inet6 addr: fe80::21f:f3ff:fe46:62ca/64 Scope:Link
> > >            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> > >            RX packets:434251 errors:0 dropped:59 overruns:0
> > > frame:0
> > >            TX packets:261164 errors:0 dropped:0 overruns:0
> > > carrier:0
> > >            collisions:0 txqueuelen:1000
> > >            RX bytes:600874115 (600.8 MB)  TX bytes:70240696 (70.2
> > > MB)
> > >            Interrupt:16
> > > 
> > > wlan0     Link encap:Ethernet  HWaddr 00:23:6c:7b:29:1d
> > >            inet addr:192.168.1.60  Bcast:192.168.1.255
> > > Mask:255.255.255.0
> > >            inet6 addr: fe80::223:6cff:fe7b:291d/64 Scope:Link
> > >            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> > >            RX packets:74 errors:0 dropped:0 overruns:0 frame:0
> > >            TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
> > >            collisions:0 txqueuelen:1000
> > >            RX bytes:10726 (10.7 KB)  TX bytes:1820 (1.8 KB)
> > > 
> > > ssh.log:
> > > 1481906017.175240       CWWs1B3RQhgUy1QqT2      192.168.1.2   454
> > > 80
> > > 192.168.1.7     22      2       T       1       -
> > > SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8       SSH-2.0-
> > > OpenSSH_7.2p2
> > > Ubuntu-4ubuntu2.1 chacha20-poly1305 at openssh.com
> > > umac-64-etm at openssh.com none    curve25519-sha256 at libssh.org    s
> > > sh-rsa
> > > 
> > > 1481906687.051242       CfvBJT3Gs2r7YAX2n1      192.168.1.2   349
> > > 56
> > > 192.168.1.60    22      2       T       1       -
> > > SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8       SSH-2.0-
> > > OpenSSH_7.2p2
> > > Ubuntu-4ubuntu2.1 chacha20-poly1305 at openssh.com
> > > umac-64-etm at openssh.com none    curve25519-sha256 at libssh.org    s
> > > sh-rsa
> > > 
> > > but wanting to verify.  Thank you.
> > > 
> > > James
> > > 
> > > On 2016-12-16 09:35, James Lay wrote:
> > > > 
> > > > Love the plugin thanks...quick question for cli...does
> > > > af_packet need
> > > > -i
> > > > for multiple interfaces, or can it be used like snort with
> > > > af_packet::eth0:eth1?  Thank you.
> > > > 
> > > > James
> > > > _______________________________________________
> > > > Bro mailing list
> > > > bro at bro-ids.org
> > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> > > _______________________________________________
> > > Bro mailing list
> > > bro at bro-ids.org
> > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> > 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161218/26d40e7f/attachment.html 


More information about the Bro mailing list