#./bro -i sk0 -i sk1 mt ncsa
listening on sk0
./bro: problem with interface sk1 - pcap_compile((vlan) and (((((((((ip[6:2] &
0x3fff != 0) and tcp) or (tcp & 0x7 != 0)) or (port finger)) or (tcp port
113)) or (port ftp)) or (port telnet or tcp port 513)) or (port 111)) or (udp
port 123))): expression rejects all packets
the contents of ncsa.bro are:
redef restrict_filter = "vlan";
it's weird it looks like the pcap expression compiles for one interface but
not the second.
First thing to try is feeding the expression manually to tcpdump for each
of the interfaces, to see whether you get the same message.
I suspect the problem is that "vlan" expands into something equates with
"not ip", and so the conjunction is always false, since all of the other
expressions require "ip" to be true. I'm not sure how to fix this, as
my version of tcpdump/libpcap doesn't know about "vlan".
purposes i don't need to look at the native VLAN since there is no traffic
Then wouldn't your filter be "not vlan" rather than "vlan"?
in order to get this far i had to rearrange the order of capture_f and
restrict_f in main.cc, i put restrict on the left and capture on the left.
without doing that the expression wouldn't compile the pcap expression for
the first interface.
That doesn't sound good - they're just a conjunction together, so pcap
should compile them in either order. I wonder if "vlan" is implemented
inside pcap as some sort of hack ...