[Bro] PacketFilter

[Dave Crawford]

> 
> Does tcpdump -ve show any encapsulation like vlans is in use?  You may need to use
> 
> sudo tcpdump -nn -i netmap:eth2/Rz vlan and not net 224.0.0.0/4 
> 
> Or it's a bug in netmap :-)
> 
> -- 
> - Justin Azoff
> 

I built a new Bro cluster without Netmap (standard libpcap-dev libraries for Debian 8.7) and the BPF works as expected:

$ sudo tcpdump -nn -i eth2 net 224.0.0.0/4 | grep 60000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes


14:38:37.656784 IP 192.168.20.4.34697 > 239.254.127.63.60000: UDP, length 44
14:38:37.656799 IP 192.168.20.4.34697 > 239.254.127.63.60000: UDP, length 44
14:38:37.656974 IP 192.168.20.4.45799 > 239.254.127.63.60000: UDP, length 44
<snip>

AND

$ sudo tcpdump -nn -i eth2 not net 224.0.0.0/4 | grep 60000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 262144 bytes


<wait a few minutes then ctrl-c>

4866 packets received by filter
0 packets dropped by kernel

-Dave


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170319/ef2805b1/attachment.html