[Bro] Offline trace: segmentation fault

Shoey Fighter shoeyfighter at gmail.com
Thu May 29 19:23:31 PDT 2008


I am trying to analyze the auckland 4 trace files
(http://pma.nlanr.net/Traces/long/auck4.html) in Bro. They are
recorded in DAG format, so first I have to convert them to pcap.

I have been trying to use libtrace which has various utilities for
conversion between various formats. Also, since the auckland4 trace is
split into incoming and outgoing directions (with either -0 or -1 at
the end of the file), they must be merged together to encompass the
complete trace.

Here is what I do:

tracemerge pcapfile:20010301-110023.pcap.gz
legacyatm:20010301-110023-0.gz legacyatm:20010301-110023-1.gz
gunzip 20010301-110023.pcap.gz
/usr/local/bro/bin/bro -r 20010301-110023.pcap conn scan trw worm
analy print-resources

Running Bro produces a segmentation fault. It creates all of the
output files for the various analyzers (e.g. conn.log), but all of the
are 0 bytes.

At first, I thought the issue may be due to the large file size of the
merged trace (4.1G), so I tried it on just one direction as well
(without trying to merge them):

traceconvert legacyatm:20010301-110023-0.gz pcapfile:20010301-110023-0.pcap.gz
gunzip 20010301-110023-0.pcap.gz
/usr/local/bro/bin/bro -r 20010301-110023-0.pcap conn scan trw worm
analy print-resources

Again, this produces a segmentation fault, and the file size is now 2.0G.

I also tried running it (both the merged and single) with only the
connection analyzer, which is really the one I am interested in.
Again, this led to a seg fault.

Some other notes that may be applicable:
-The trace files are stored on an nfs mounted drive
-I am using bro-1.3.2
-The OS is fedora 4 (32bit), and the machine has 2gb of memory
-I can successfully run Bro against the lbnl
(http://www.icir.org/enterprise-tracing/download.html) traces using
the analyzers from above
-If I use the coral reef toolkit, I can print the contents of the
converted trace files just fine, which would indicate they are
converted successfully

Any thoughts?


More information about the Bro mailing list