[Bro] nfs analysis

Mike Wood muscletot at gmail.com
Thu Oct 4 17:14:19 PDT 2007

Hi Christian,

On 9/26/07, Christian Kreibich <christian at whoop.org> wrote:
> On Mon, 2007-09-24 at 10:39 -0700, Mike Wood wrote:
> > Sadly, yes I do not get any output from nfs.bro.
> >
> > The tcpdump output for my trace looks like:
> >
> > 16:01:13.467628 IP client.host.name.4160508447 > server.host.name.nfs:
> > 132 getattr [|nfs]
> Also, I'm wondering how the source port can be 4160508447 in your
> tcpdump!?

Turns out this looks like a tcpdump bug that has an appropriate fix
(see http://lists.freebsd.org/pipermail/freebsd-bugs/2006-November/021159.html).
So, I think my trace is actually fine.

I ran bro in gdb to trace out the execution. It seems the UDP.cc
analyzer gets called, but the analysis goes no further than that --
i.e. I get to UDP_Analyzer::DeliverPacket, but I never get to
RPC_UDP_Analyzer_binpac::DeliverPacket. I have tried running with the
--use-binpac option, but get the same result.

Any further ideas?

- Mike

More information about the Bro mailing list