I've installed Bro on a machine with freeBSD4.2 ( libpcap0.5). Since
I cannot connect the machine on the network where I am now, I would like
test my policy. I've tried to start bro on the localhost interface. I am
only using the standard conn.bro file modified a little bit : the only
processing of event I do is to write the name of the event function. I works
with bro_init(). But nothing is logged ( I am not using the log module so it
shoult appear in my terminal), but tcpdump 'sees' the traffic (telnet and
ftp on localhost).
I've also tried to read from a dump file of tcpdump (tcpdump -i lo0
-w filename), but I get this kind of output :
weird: 981105864.406810 bad_IP_cheksum
I've tried to read the file with tcpdump (-r filename) and it works. So I
thought that maybe my localhost device does not format the packets correctly
and tried to read a dump from another machine. But even tcpdump won't read
these files (comming from a linux box).
Do somebody have a raw dump for to try or even better a solution to my