I am wondering if Bro is able to capture and analyze IGMP packets ?
Bro doesn't have an IGMP analyzer. (Contributions for this welcome!)
I tried to turn all filters off ("redef capture_filters = {};" at the end of
brolite-sigs.bro)I built a very simple signature:
signature header3
{
src-ip == 10.92.39.3
event "Header 3"
}When I run with this on a trace containing only IGMP traffic, nothing appends
even though there is plenty of packets with src-ip == 10.92.39.3 in the trace.
You'll need to redef capture_filters so that it in some fashion includes
this traffic.
Vern