[Bro] No packets for me

Randolph Reitz rreitz at fnal.gov
Mon Mar 5 14:04:00 PST 2007


Hi,

Fermilab is making another run at BRO.  A machine running Scientific  
Linux Fermi LTS release 4.4 (Wilson) has been set up for BRO  
testing.  It has a span of the border traffic fed from a GigaVue to  
eth2 (an Intel PRO/1000 MT Dual Port) on the Linux box.  Installing  
BRO 1.2.1 was no problem.

./configure reported...
               Broccoli Configuration Summary
==========================================================

    - Debugging enabled:     no
    - Pcap packet support:   yes
    - Semaphores used:       POSIX
    - Shared memory used:    SYSV

   Now run:

   $ make
   # make install

   (or use gmake when make on your platform isn't GNU make)


                  Bro Configuration Summary
==========================================================

   - Debugging enabled:      no
   - OpenSSL support:        yes
   - Non-blocking main loop: yes
   - Non-blocking resolver:  yes
   - Installation prefix:    /usr/local/bro
   - Perl interpreter:       /usr/bin/perl
   - Using basic_string:     yes
   - Using libmagic:         Yes
   - Using libclamav:        No
   - Pcap used:              system-provided

Make was uneventful.  Install put everything in /usr/local/bro.

After starting BRO and letting it run for ~20 minutes, it reports  
seeing 4 packets.

[root at rhyolite rreitz]# export BROPATH=/usr/local/bro/policy:/usr/ 
local/bro/policy/sigs
[root at rhyolite rreitz]# bro -i eth2 brolite
/usr/local/bro/policy/scan.bro, line 92: warning: no such host:  
j5004.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 92: warning: no such host:  
j5005.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host:  
j5006.inktomisearch.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host:  
j100.inktomi.com
/usr/local/bro/policy/scan.bro, line 93: warning: no such host:  
j101.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host:  
j3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host:  
si3000.inktomi.com
/usr/local/bro/policy/scan.bro, line 94: warning: no such host:  
si3001.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host:  
si3002.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host:  
si3003.inktomi.com
/usr/local/bro/policy/scan.bro, line 95: warning: no such host:  
si4000.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host:  
si4001.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host:  
si4002.inktomi.com
/usr/local/bro/policy/scan.bro, line 96: warning: no such host:  
wm3018.inktomi.com
listening on eth2
1173131791.280848 received termination signal
4 packets received on interface eth2, 0 dropped

Humm, I expected more packets.  Eth2 seems to be receiving packets  
when bro is started...
[rreitz at rhyolite ~]$ while true;do /sbin/ifconfig eth2 | egrep bytes;  
sleep 10; done
           RX bytes:4142 (4.0 KiB)  TX bytes:398 (398.0 b)
           RX bytes:28062 (27.4 KiB)  TX bytes:398 (398.0 b)
           RX bytes:57132 (55.7 KiB)  TX bytes:398 (398.0 b)
           RX bytes:72298 (70.6 KiB)  TX bytes:398 (398.0 b)
But after a while...
[rreitz at rhyolite bro]$ while true;do /sbin/ifconfig eth2 | egrep  
bytes; sleep 10; done
           RX bytes:818658 (799.4 KiB)  TX bytes:398 (398.0 b)
           RX bytes:818658 (799.4 KiB)  TX bytes:398 (398.0 b)
           RX bytes:818658 (799.4 KiB)  TX bytes:398 (398.0 b)
The interface seems stuck.
[rreitz at rhyolite bro]$ /sbin/ifconfig eth2
eth2      Link encap:Ethernet  HWaddr 00:04:23:D1:E3:EB
           inet6 addr: fe80::204:23ff:fed1:e3eb/64 Scope:Link
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:10442 errors:0 dropped:0 overruns:0 frame:0
           TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:818658 (799.4 KiB)  TX bytes:398 (398.0 b)
           Base address:0x1040 Memory:f40a0000-f40c0000

Here is some info on the OS...

[rreitz at rhyolite bro-1.2.1]$ rpm -qa | egrep pcap
libpcap-0.8.3-10.RHEL4
[rreitz at rhyolite bro-1.2.1]$ uname -a
Linux rhyolite.fnal.gov 2.6.9-42.0.10.ELsmp #1 SMP Tue Feb 27  
08:38:56 CST 2007 i686 athlon i386 GNU/Linux
[rreitz at rhyolite bro-1.2.1]$ cat /etc/redhat-
redhat-lsb/     redhat-release
[rreitz at rhyolite bro-1.2.1]$ cat /etc/redhat-release
Scientific Linux Fermi LTS release 4.4 (Wilson)
[rreitz at rhyolite bro]$ bro -v
bro version 1.2.1

A search of this email list for 'linux' gets no hits.  Hence I'm  
asking for suggestions.

Thanks,
Randy Reitz
Computer Security Team




More information about the Bro mailing list