[Bro] pcap_next Question

Chris Crawford christopher.p.crawford at gmail.com
Mon May 21 06:38:46 PDT 2012

Bro 2 has been crashing for me regularly and frequently for several
months. [ http://bit.ly/JJQVVf ]

Although I configured Bro in a way that works for me, it would still
be nice to use it as it is intended to be used.

I studied a number of crash dumps, and have looked through the code.
I was seeing crashes with the Bro 2.0 release, but I am now using a
version of Bro 2.0 from the git repositories that I checked out on
April 30.  I saw very similar crashes in both versions.

Line 78 in PktSrc.cc is consistently related to issues in the
backtraces I'm getting from bro core dumps.  I really haven't written
much code with libpcap, so there's probably a good reason to use
pcap_next() there.  I'm just wondering, why not use pcap_next_ex()
there and do a bit of error checking before passing packet data along?
 The way it is right now, it looks like the code just trusts that
pcap_next() read a packet successfully and then hands it off.

I think that in my case, something is going wrong with the call to
pcap_next() -- it's returning a pointer that doesn't make any sense.
If there was a little error checking around pcap_next() by using
pcap_next_ex() instead, maybe that would prevent the crash I'm seeing.

On the other hand, maybe there is some code that does some error
checking on if the value returned by pcap_next() makes sense and I'm
just not finding it.

Can anyone help me understand the choice to use pcap_next() vs pcap_next_ext()?

More information about the Bro mailing list