Adapting packet filter in stand-alone cluster

Tyler_Schoenke · April 16, 2009, 10:01pm

I am getting started with Bro, and am using Robin's 1.4 stand-alone cluster branch. I was trying to detect some IRC traffic using DPD, but realized that it was being filtered. In the Workshop 2009 materials, it mentioned adapting the packet filter by adding the -f "tcp". I tried that, tested it on my pcap file, and it worked. How do I enable/disable the -f "tcp" option in the cluster configuration?

Tyler

Seth_Hall · April 17, 2009, 2:39am

You can do it from your policy script.

In policy/local/local.bro (assuming you're using everything as it ships)...

redef capture_filters = { ["all-ip-packets"] = "ip or ip6" };

.Seth

Topic		Replies	Views
Bro: effect of filter on speed/drops Zeek	1	64	May 6, 2022
Bro: effect of filter on speed/drops Zeek	1	64	May 6, 2022
Disabling DPD Zeek	2	75	May 6, 2022
Zeek 2.6.1 - packet_filter - unable to filter out traffic Zeek	1	203	May 6, 2022
Bro restrict filters question Zeek	4	118	May 6, 2022

Adapting packet filter in stand-alone cluster

Related topics