Hey all…trying to pass this:
broargs = --filter not ip6
a few different ways, but I'm not having much luck:
broargs = --filter not ip6
broargs = --filter 'not ip6'
broargs = --filter "not ip6"
==== stderr.log
error: can't open ip6
or
==== stderr.log
/usr/local/bro/share/broctl/scripts/broctl-config.sh: line 67: ip6: command not found
error: can't open ip6
==== .cmdline
-i eth1 -U .status -p broctl -p broctl-live -p standalone -p local -p bro local.bro broctl broctl/standalone broctl/auto --filter not ip6
Any hints on how to pass the filter the right way? Thanks all.
James
You need to quote the value of the --filter option like this:
broargs = --filter 'not ip6'
There was a bug that was preventing this from working.
If you look in <prefix>/share/broctl/scripts (<prefix>
is your Bro install prefix), you can patch the following
scripts:
--- check-config.orig
+++ check-config
@@ -25,7 +25,7 @@ export PATH=${bindir}:${scriptsdir}:$PATH
echo $@ >.cmdline
touch .checking
-${bro} $@
+${bro} "$@"
rc=$?
if [ "$rc" == "0" ] && [ "$print_scripts" == "1" ]; then
--- helpers/start.orig
+++ helpers/start
@@ -9,7 +9,7 @@ shift
rm -f .pid
-nohup ${scriptsdir}/run-bro $@ >stdout.log 2>stderr.log &
+nohup ${scriptsdir}/run-bro "$@" >stdout.log 2>stderr.log &
while [ ! -s .pid ]; do
sleep 1
--- run-bro.orig
+++ run-bro
@@ -71,9 +71,9 @@ if [ -n "${pin_command}" -a $pin_cpu -ge 0 ]; then
fi
fi
- nohup ${pin_command} $pin_cpu $mybro $@ &
+ nohup ${pin_command} $pin_cpu $mybro "$@" &
else
- nohup $mybro $@ &
+ nohup $mybro "$@" &
fi
child=$!
--- run-bro-on-trace.orig
+++ run-bro-on-trace
@@ -20,5 +20,5 @@ cd $cwd
echo $@ >.cmdline
touch .testing
-${bro} -r $trace $@
+${bro} -r $trace "$@"
Wow thanks a TON Daniel....patched up and good to go 
James
in your local.bro, something like this:
redef PacketFilter::all_packets = F; # don't capture all packets
redef capture_filters = [[ "all"] = "not ip6"];
Thanks Justin...I had not thought of that.
James