[Bro] PacketFilter
James Lay
jlay at slave-tothe-box.net
Sun Mar 19 16:46:53 PDT 2017
And there you go....I think I attempted netmap a couple months
ago...didn't have good results, so stuck with af_packet. Looks like
netmap needs a massage.
James
On Sun, 2017-03-19 at 19:36 -0400, Dave Crawford wrote:
>
> >
> > Does tcpdump -ve show any encapsulation like vlans is in use? You
> > may need to use
> >
> > sudo tcpdump -nn -i netmap:eth2/Rz vlan and not net 224.0.0.0/4
> >
> > Or it's a bug in netmap :-)
> >
> > --
> > - Justin Azoff
> >
> I built a new Bro cluster without Netmap (standard libpcap-dev
> libraries for Debian 8.7) and the BPF works as expected:
>
> $ sudo tcpdump -nn -i eth2 net 224.0.0.0/4 | grep 60000
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth2, link-type EN10MB (Ethernet), capture size 262144
> bytes
>
>
> 14:38:37.656784 IP 192.168.20.4.34697 > 239.254.127.63.60000: UDP,
> length 44
> 14:38:37.656799 IP 192.168.20.4.34697 > 239.254.127.63.60000: UDP,
> length 44
> 14:38:37.656974 IP 192.168.20.4.45799 > 239.254.127.63.60000: UDP,
> length 44
> <snip>
>
> AND
>
> $ sudo tcpdump -nn -i eth2 not net 224.0.0.0/4 | grep 60000
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth2, link-type EN10MB (Ethernet), capture size 262144
> bytes
>
>
> <wait a few minutes then ctrl-c>
>
> 4866 packets received by filter
> 0 packets dropped by kernel
>
> -Dave
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170319/1544efb4/attachment.html
More information about the Bro
mailing list