[Bro] PacketFilter

James Lay jlay at slave-tothe-box.net
Sun Mar 19 16:46:53 PDT 2017


And there you go....I think I attempted netmap a couple months
ago...didn't have good results, so stuck with af_packet.  Looks like
netmap needs a massage.
James
On Sun, 2017-03-19 at 19:36 -0400, Dave Crawford wrote:
> 
> > 
> > Does tcpdump -ve show any encapsulation like vlans is in use?  You
> > may need to use
> > 
> > sudo tcpdump -nn -i netmap:eth2/Rz vlan and not net 224.0.0.0/4 
> > 
> > Or it's a bug in netmap :-)
> > 
> > -- 
> > - Justin Azoff
> > 
> I built a new Bro cluster without Netmap (standard libpcap-dev
> libraries for Debian 8.7) and the BPF works as expected:
> 
> $ sudo tcpdump -nn -i eth2 net 224.0.0.0/4 | grep 60000
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth2, link-type EN10MB (Ethernet), capture size 262144
> bytes
> 
> 
> 14:38:37.656784 IP 192.168.20.4.34697 > 239.254.127.63.60000: UDP,
> length 44
> 14:38:37.656799 IP 192.168.20.4.34697 > 239.254.127.63.60000: UDP,
> length 44
> 14:38:37.656974 IP 192.168.20.4.45799 > 239.254.127.63.60000: UDP,
> length 44
> <snip>
> 
> AND
> 
> $ sudo tcpdump -nn -i eth2 not net 224.0.0.0/4 | grep 60000
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on eth2, link-type EN10MB (Ethernet), capture size 262144
> bytes
> 
> 
> <wait a few minutes then ctrl-c>
> 
> 4866 packets received by filter
> 0 packets dropped by kernel
> 
> -Dave
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170319/1544efb4/attachment.html 


More information about the Bro mailing list