Quick af_packet question

Zeek
1

Love the plugin thanks...quick question for cli...does af_packet need -i for multiple interfaces, or can it be used like snort with af_packet::eth0:eth1? Thank you.

James

2

So far my testing says yes:

09:30:56 @tester:/opt/bro/spool$] sudo bro -C -i af_packet::eth0:wlan0
listening on eth0:wlan0

eth0 Link encap:Ethernet HWaddr 00:1f:f3:46:62:ca
           inet addr:192.168.1.7 Bcast:192.168.1.255 Mask:255.255.255.0
           inet6 addr: fe80::21f:f3ff:fe46:62ca/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
           RX packets:434251 errors:0 dropped:59 overruns:0 frame:0
           TX packets:261164 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:600874115 (600.8 MB) TX bytes:70240696 (70.2 MB)
           Interrupt:16

wlan0 Link encap:Ethernet HWaddr 00:23:6c:7b:29:1d
           inet addr:192.168.1.60 Bcast:192.168.1.255 Mask:255.255.255.0
           inet6 addr: fe80::223:6cff:fe7b:291d/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
           RX packets:74 errors:0 dropped:0 overruns:0 frame:0
           TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:10726 (10.7 KB) TX bytes:1820 (1.8 KB)

ssh.log:
1481906017.175240 CWWs1B3RQhgUy1QqT2 192.168.1.2 45480 192.168.1.7 22 2 T 1 - SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 chacha20-poly1305@openssh.com umac-64-etm@openssh.com none curve25519-sha256@libssh.org ssh-rsa

1481906687.051242 CfvBJT3Gs2r7YAX2n1 192.168.1.2 34956 192.168.1.60 22 2 T 1 - SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 chacha20-poly1305@openssh.com umac-64-etm@openssh.com none curve25519-sha256@libssh.org ssh-rsa

but wanting to verify. Thank you.

James

3

Does not appear to decode pppoe however :frowning:

4

Hi James,

to be honest, I don't know that interfaceA:interfaceB notation at all.
Doing a quick search it seems related to running snort inline. Actually,
I don't think AF_Packet can be used to capture from two different
interfaces using a single instance of Bro. But, running a cluster one
could setup a worker per interface using AF_Packet. The latest version
of the plugin contains an additional broctl-plugin to allow specifying
the necessary parameters (workers will need different fanout_ids, see
https://bro-tracker.atlassian.net/browse/BIT-1747). The README was
extended as well to provide some information on how to setup Bro and
AF_Packet using broctl.

Hope that helps,
Jan

5

Thanks Jan…those were my final results as well.

James