[ https://bro-tracker.atlassian.net/browse/TM-16?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15401#comment-15401 ]
Marek Balint edited comment on TM-16 at 2/7/14 12:29 PM: --------------------------------------------------------- Attaching patch which should solve this problem (tm-16.patch). was (Author: mareq): Attaching patch which should solve this problem. > Index not working when traffic encapsulated in 802.1q trunk > ----------------------------------------------------------- > > Key: TM-16 > URL: https://bro-tracker.atlassian.net/browse/TM-16 > Project: Time Machine > Issue Type: Problem > Affects Versions: git/master > Environment: Ubuntu 10.04 , pf_ring > Reporter: tyler.schoenke > Labels: 802.1Q, indexes > Attachments: tm-16.patch > > > Hi All, > When I query the time machine index, I am not receiving any results. > I just restarted time machine, and checked one of the recent class files to > see there is traffic for a particular IP address. > tcpdump -e -v -n -r class_all_1385406639.023206 "vlan and host 128.138.44.198" > It shows some traffic, example: > 128.138.44.198.54014 > 74.125.225.209.443: Flags [.], cksum 0x8d2c > (correct), seq 1283940799:1283940800, ack 615539104, win 16311, length 1 > 19:11:00.571731632 10:8c:cf:57:46:00 > 00:1d:09:6a:d9:a9, ethertype 802.1Q > (0x8100), length 70: vlan 987, p 0, ethertype IPv4, (tos 0x0, ttl 56, id > 17482, offset 0, flags [none], proto TCP (6), length 52) > When I telnet localhost 42042 and run the following command, I don't receive > any results. > query to_file "128.138.44.198.pcap" index ip "128.138.44.198" > In the above tcpdump, you can see my traffic is 802.1Q trunked. I have to > use the "vlan" BPF to extract it with tcpdump, and am wondering if the > trunking is causing problems with indexing? > I tested the same version of time machine on non-trunked traffic, and the > index works fine. > Let me know if you need any other configuration info. > Tyler -- This message was sent by Atlassian JIRA (v6.2-OD-08-034#6251) _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev