When I start up bro, I get the following message:
#./bro -i sk0 -i sk1 mt ncsa
listening on sk0
./bro: problem with interface sk1 - pcap_compile((vlan) and (((((((((ip[6:2] &
0x3fff != 0) and tcp) or (tcp[13] & 0x7 != 0)) or (port finger)) or (tcp port
113)) or (port ftp)) or (port telnet or tcp port 513)) or (port 111)) or (udp
port 123))): expression rejects all packets
the contents of ncsa.bro are:
redef restrict_filter = "vlan";
it's weird it looks like the pcap expression compiles for one interface but
not the second.
the link i am running bro on uses 802.1Q VLAN tagging, which are supported
by recent versions of libpcap. (well, mostly supported, you can either look
at tagged frames or frames on the native VLAN, but not both at the same time
-- because of the way libpcap handles the VLAN tags internally. for my
purposes i don't need to look at the native VLAN since there is no traffic
on it.)
in order to get this far i had to rearrange the order of capture_f and
restrict_f in main.cc, i put restrict on the left and capture on the left.
without doing that the expression wouldn't compile the pcap expression for
the first interface.
any suggestions?
thanks,
Jon