Posted by:dragorn
Subject:Adding kistap0 to bridge
Date:14:31:29 20/04/2012

> > What are you trying to do that you're trying to use a bridge?
> Snort integration. Newer versions, I believe, combine all interfaces (eth0, eth1, etc.) into one interface (mon0) and I was trying to add it to the monitor interface. When I try to add it to that interface and start Snort, it dies due to encapsulation. The alternative is to use Kismet pcaps, which works, but not as effective.

You wouldn't be able to mix multiple linktypes on one bridge/pseudointerface, because it would say it's EN10MB and then throw a dot11 frame in there and nothing would be valid.

Snort should be able to capture from multiple interfaces at once - give it eth0 and kistap0 and let it go. If they removed that functionality, that's... bad. I suppose worst case you have to run two instances of snort.

The overhead of doing 2 interfaces vs 1 is effectively nonexistent in the grand scheme of things, so there should be no observable performance hits for doing two interfaces.

