[Bro] PacketFilter
Azoff, Justin S
jazoff at illinois.edu
Sun Mar 19 07:37:54 PDT 2017
> On Mar 18, 2017, at 3:20 PM, Dave Crawford <bro at pingtrip.com> wrote:
>
> tcpdump doesn’t enforce the filter either.
>
> $ sudo tcpdump -nn -i netmap:eth2/Rz not net 224.0.0.0/4 | grep 60000
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on netmap:eth2/Rz, link-type EN10MB (Ethernet), capture size 262144 bytes
> 15:11:26.286104 IP 192.168.20.8.40364 > 239.254.127.63.60000: UDP, length 44
> 15:11:26.497024 IP 192.168.20.8.47779 > 239.254.127.63.60000: UDP, length 44
> 15:11:26.950899 IP 192.168.20.8.38593 > 239.254.127.63.60000: UDP, length 44
>
> I’m at a loss now.
Does tcpdump -ve show any encapsulation like vlans is in use? You may need to use
sudo tcpdump -nn -i netmap:eth2/Rz vlan and not net 224.0.0.0/4
Or it's a bug in netmap :-)
--
- Justin Azoff
More information about the Bro
mailing list