[Bro] Troubleshooting crashes

Tritium Cat tritium.cat at gmail.com
Tue Sep 11 13:34:16 PDT 2012


On Tue, Sep 11, 2012 at 1:16 PM, Seth Hall <seth at icir.org> wrote:

>
> On Sep 10, 2012, at 8:51 PM, Tritium Cat <tritium.cat at gmail.com> wrote:
>

 (...cut...)


> > /usr/local/3rd-party/bro/share/broctl/scripts/run-bro: line 60: 15452
> Segmentation fault      nohup $mybro $@
>
> Hm, looks like you aren't getting stack traces.  Your OS is probably not
> keeping core dumps or writing them to some OS-wide core dump directory.
>  Change the sysctl variable for your OS to dump core files and make sure
> they're being dropped into the CWD prefixed with "core".
>

I'll make the change and send the info when it's available.



> > bro at bc : [12:33am] : 2012-08-30 : gzcat weird.23:00:00-00:00:00.log.gz
> | awk '{print $7}' | sort | uniq -c | sort -rn | head -10
> > 614589 data_before_established
> > 585445 possible_split_routing
>
> I'm a little curious about these two.  Normally lots of these lines
> indicates that something is wrong with how Bro is collecting packets.  I'm
> interested to find out if these go away when you adapt the snap length.  Is
> the MTU of your network actually 9600 or did you just set that MTU for the
> interface to the maximum it would allow?


The MTU in use is actually 9600.  I made the snaplen change you recommended
but I'm still seeing more or less the same results in weird.log.  I checked
the source to see what "possible_split_routing" represents and that leads
me to think our tap/aggregation setup may be incorrectly load balancing
traffic; I'll get back to you on that later.

417369 possible_split_routing
353346 data_before_established
258014 window_recision
121325 active_connection_reuse
91851 connection_originator_SYN_ack
48796 Teredo_bubble_with_payload
48324 bad_SYN_ack
44451 inappropriate_FIN
44451 above_hole_data_without_any_acks
31832 SYN_seq_jump
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120911/d23c37c0/attachment.html 


More information about the Bro mailing list