Hi,
First, I record pcap file idle : tcpdump -ni lo0 -w vide.pcap AND CTRL+C !
(this file size is 24 = no packet recorded, same with packet on file, bro pb is not here)
ok run bro inline :
export BROPATH=/bropath/policy
export BRO_DNS_FAKE=1
bro -r ~/vide.pcap -r ~/vide.pcap -r ~/vide.pcap -r ~/vide.pcap -r ~/vide.pcap -r ~/vide.pcap -r ~/vide.pcap -r ~/vide.pcap bro.init mt
line 1: run-time error: precompile_pcap_filter: pcap_compile(((((((((tcp port 113) or ((ip[6:2] & 0x3fff != 0) and tcp)) or (tcp[13] & 7 != 0)) or (udp port 123)) or (port finger)) or (port ftp)) or (port telnet or tcp port 513)) or (udp port 69)) or (port 111)): too many registers needed to evaluate expression
can't compile filter ((((((((tcp port 113) or ((ip[6:2] & 0x3fff != 0) and tcp)) or (tcp[13] & 7 != 0)) or (udp port 123)) or (port finger)) or (port ftp)) or (port telnet or tcp port 513)) or (udp port 69)) or (port 111)
bro create idle file :
alarm.log
conn.log
ftp.log
notice.log
weird.log
bro have 8 file,
I don't have pb if only 7 pcap file
Im use bro on freebsd411 plateform.
Regards
Rmkml