[Bro] Differences in processing multiple traces with BRO and ipsumdump
estrada.veronica at gmail.com
Wed Jul 14 03:29:03 PDT 2010
Actually, this problem is more related to ipsumdump. However, it can
affect BRO input, thus I briefly explain my founds and we can discuss
further details by e-mail. I've just tested ipsumdump with different
traces. I used Ipsumdump 1.78 (libclick-1.7.0) on Fedora 8.
Using wireshark I saw that my files contain some malformed packets,
particularly packets for Ethernet and FC (Fibre Channel) protocols.
I found that FC malformed packets are not a problem for ipsumdump.
But, in the case of Ehernet malformed packets, ipsumdump cannot handle
files that contains this type of malformed packets correctly. I
corroborated my experiments with tcpslice that it can deal with them.
The situation may be a problem if the user doesn't notice the presence
of Ethernet malformed packets and ipsumdump is used in quiet mode
inside a script, since no error messages are printed. At first, I
noticed the problem in the progress bar printed by ipsumdump, because
the progress bar split into several partial bars and eventually reach
100%. The bar does not split when using input files that don't contain
ETH malformed packets . A user can check the size of the output file
but recognizing the error in this way may be subtle because size can
be different if the input pcap files are overlapped.
A good thing about ipsumdump is that it can deal with a terabyte
output and hundreds of input files. On the other hand, when I use
tcpslice, the server crashed (probably because of the tcpslice
Nakao Laboratory - Network Systems Research Group
University of Tokyo
More information about the Bro