I am using bro 1.5 . I am reading from a pcap file and trying to use policy. I am sending the error messages when i run bro on it . I request all you to please help me.
/usr/local/bro/share/bro/drop.bro, lines 67-71 (128.8.10.90): warning, multiple initializations for index
/usr/local/bro/share/bro/drop.bro, lines 67-71 (192.5.5.241): warning, multiple initializations for index
/usr/local/bro/share/bro/drop.bro, lines 75-79 (192.48.79.30): warning, multiple initializations for index
bro: problem with trace file /usr/local/bro/090500-0-anon.pcap - unknown data link type 0x68
The packets in tracefile are encapsulated in something strange at layer-2. Most commonly, the packets would be encapsulated in Ethernet headers (aka EN10MB). I don't know what 0x68 is.
adding support for other encapsulation types seem to just be a matter of
telling bro what the offset to the data is at the end of src/PktSrc.cc
Yeah, that should generally suffice provided it's a fixed-length header.
Conceptually Bro would also need to be told per packet's encapsulated
within it (e.g., IPv4 vs. ARP), but it actually has a hack to figure this
out itself.