[Bro] Bro terminates on its own in PCAP read mode

Jeremy Gin jgin at utexas.edu
Mon Apr 3 22:54:35 PDT 2017


I am trying to run Bro in PCAP read mode on PCAPs that contain flooding
attacks created in a lab environment. I installed Bro from source and did
not modify the local.bro. The command I am using is:

"bro -r <name>.pcap -C local --time"

This returns the following output:
"WARNING: No Site::local_nets have been defined.  It's usually a good idea
to define your local networks.
# initialization 2.756138
# initialization 59M/49M

I have attached the PCAP. My initial reaction is that the PCAP is too big
as this happens to only PCAPs containing DOS attacks. However, the attached
PCAP is 69 MB and Bro successfully runs on other PCAPs that are around 73
MB. Can anyone explain why Bro is terminating itself?

Any insight you can provide is much appreciated.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170404/79523e83/attachment.html 

More information about the Bro mailing list