problem of multi-interface monitor?

user12 · December 22, 2004, 5:42pm

Hello,
when i execute “bro -i eth0 -i eth1 login.bro”,bro only capture and deal with packets from eth0 and drop all from eth1.

“1103734623.487821:ContentGap:NOTICE_ALARM_ALWAYS::192.168.10.10:2422/tcp:192.168.10.77:23/tcp::::::192.168.10.10/2422 > 192.168.10.77/telnet content gap (> 69/11):”

after that,i emove “capture-filter …” fom login.bro and try again,bro can capture and do rightly.

why? and how can i solve this problem?

sorry,i am not familiar whit BRO.

Ruoming_Pang · December 30, 2004, 6:53pm

What if you execute "bro -f '' ..." (which manually sets the filter to capture all packets)?

How about '-f "port telnet or tcp port 513"'?

Finally, without specifying the -f flag, what's the output if you print capture_filter in event bro_init()? Adding the following piece of code (to login.bro) will do:

event bro_init()
  {
  print fmt("%s", capture_filter);
  }

Ruoming

Topic		Replies	Views
problem of multi-interface monitor? Zeek	1	73	May 6, 2022
Multiple Capture Interfaces Zeek	9	98	May 6, 2022
Problem: Bro listening on two ethernet interfaces Zeek	2	100	May 6, 2022
Multi interfaces, one with and one without vlan tagging Zeek	2	89	May 6, 2022
Problem: Bro listening on two ethernet interfaces Zeek	1	64	May 6, 2022

problem of multi-interface monitor?

Related topics