Problem: Bro listening on two ethernet interfaces

Jason :

Thanks for all the help.

Here is the output you'd ask for:

[/tmp]# bro -i eth2 -i eth3 mt.bro print-filter.bro
listening on eth2
listening on eth3
Reading .state/state.bst ...
((((((((port 111) or (port telnet or tcp port 513)) or (port finger)) or ((ip[6:2] & 0x3fff != 0) and tcp)) or (tcp[13] & 7 != 0)) or (udp port 69)) or (por
t ftp)) or (tcp port 113)) or (udp port 123)

[/tmp]# /usr/local/bro/bin/bro -i eth2 -i eth3 mt.bro
listening on eth2
listening on eth3
Reading .state/state.bst ...
1117554540.647671 received termination signal
3374 packets received on interface eth2, 479 dropped
3602 packets received on interface eth3, 610 dropped

[ Re-ran the cammond ]

[/tmp]# /usr/local/bro/bin/bro -i eth2 -i eth3 mt.bro
listening on eth2
listening on eth3
1117554872.292885 received termination signal
2297 packets received on interface eth2, 50 dropped
2435 packets received on interface eth3, 48 dropped

[/tmp]# /usr/bin/time tcpdump -c 25000 -i eth2 -n -w /dev/null
tcpdump: listening on eth2
26277 packets received by filter
1270 packets dropped by kernel
0.04user 0.25system 0:03.88elapsed 7%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (189major+123minor)pagefaults 0swaps

[/tmp]# /usr/bin/time tcpdump -c 25000 -i eth3 -n -w /dev/null
tcpdump: listening on eth3
25188 packets received by filter
184 packets dropped by kernel
0.04user 0.12system 0:04.17elapsed 3%CPU (0avgtext+0avgdata 0maxresident)k
0inputs+0outputs (189major+123minor)pagefaults 0swaps

Also, Here is bro capture filter which is seen in the info.log once I start bro. Since, we are adding some some capture filter in site policy file, I thought I should paste the capture filter too.

Bro Version: 0.9a8
Started with the following command line options: -i eth2 -i eth3 bro
listening on eth2
listening on eth3
Reading .state/state.bst ...
Capture filter: (((((((((((((((((((((port 53) or (port smtp)) or (port 111)) or (port 111)) or (port 143)) or (tcp src port 3128 or tcp src port 3120)) or (port smtp)) or (tcp[2:2] > 32770 and tcp[2:2] < 32901 and tcp[0:2] != 80 and tcp[0:2] != 22 and tcp[0:2] != 139)) or (port ftp)) or (port 161 or port 162)) or ( icmp)) or ((ip[6:2] & 0x3fff != 0) and tcp)) or (tcp dst port 3128 or tcp dst port 3120)) or (tcp port 80 or tcp port 8080 or tcp port 8000 or tcp port 8001)) or (port telnet or tcp port 513)) or (port ftp)) or (tcp[13] & 7 != 0)) or (tcp port 514)) or (port 512 or port 513 or port 515)) or (udp port 69)) or (port telnet)) or ((src net 141.142.0.0/16) and (dst port 135 or dst port 137 or dst port 139 or dst port 445))

Thanks a lot for looking into this.

Aashish