in my policy file: redef restrict_filter = "vlan";
Oops. Unfortunately, "vlan" is a hack bolted onto tcpdump/libpcap.
I discussed bugs in it that Bro tickled with Bill Fenner a while ago.
Here's the tail end of that thread, which included a patch that worked for
one of your NCSA colleagues.
no problem. tcpdump works fine with the above expression.. seems to work
so now, in bro, I use the redef capture_filter = <above expression>
There were also some related problems with Bro reading from multiple
interfaces, because the vlan keyword diddles the hdr_size in a non-reentrant
way (or at least it used to), but I don't know if that's what's tripping
you up or not.
Does Bro work okay for you w/o the "vlan"?
Vern