I've installed Bro on a machine with freeBSD4.2 ( libpcap0.5). Since
I cannot connect the machine on the network where I am now, I would like
test my policy. I've tried to start bro on the localhost interface. I am
only using the standard conn.bro file modified a little bit : the only
processing of event I do is to write the name of the event function. I works
with bro_init(). But nothing is logged ( I am not using the log module so it
shoult appear in my terminal), but tcpdump 'sees' the traffic (telnet and
ftp on localhost).
I've also tried to read from a dump file of tcpdump (tcpdump -i lo0
-w filename), but I get this kind of output :
...
weird: 981105864.406810 bad_IP_cheksum
The problem is likely in PktSrc::SetHdrSize(), which is hardwired to know
about a few interface types. Presumably libpcap returns DLT_NULL for
the loopback interface. The code currently sets the header length to 4 bytes
for that type. Perhaps this has changed under FreeBSD (or never worked).
Vern