[Bro-Dev] [Bro-Commits] [git/bro] topic/gilbert/dtrace-probes: OSX support for dtrace built into bro. Probes supported are: (20fe478)

Clark, Gilbert gc355804 at ohio.edu
Fri Jul 13 15:53:11 PDT 2012 

The way the probes are compiled, it *should* work with FreeBSD.  I'm in
the process of rebuilding my FreeBSD VM, so no way to easily test that
yet, though.  

This will *not* work on Solaris.

In case anyone would like to play with this, I've attached a simple
bro-trace.d that will trace calls to bro-builtins.  On OS X, you'll *need*
to actually sudo -i to run the script; if you don't, END {} won't fire
(not sure why).  You'll also probably need 'dtrace -Z -s bro-trace.d' if
you run dtrace before bro is started.

By the way, to give some idea of overhead, I ran an analysis of the 700 MB
pcap here:

http://2009.hack.lu/index.php/InfoVisContest


via:

bro -r ~/Downloads/jubrowska-capture_1.cap

On my laptop (quad-core i7, 5400 RPM HD, 8 GB DDR3), without probes
compiled into bro, I got:

real	3m33.206s
user	4m15.808s
sys	0m25.539s

With probes compiled but nothing using them:

real	3m41.651s
user	4m18.873s
sys	0m25.759s

With bro-trace.d running while bro processed the above capture file:

real	4m29.553s
user	4m26.601s
sys	1m10.063s


--Gilbert

On 7/13/12 6:00 PM, "Bernhard Amann" <bernhard at ICSI.Berkeley.EDU> wrote:

>This is cool :). I always wanted a reason to play around with dtrace and
>never really found a good
>reason for it.
>
>Might this also work on FreeBSD? If I am not very much mistaken, dtrace
>support has been added
>to it quite a while ago.
>
>Bernhard
>
>On Jul 12, 2012, at 8:45 PM, Gilbert Clark wrote:
>
>> Repository : ssh://git@bro-ids.icir.org/bro
>> 
>> On branch  : topic/gilbert/dtrace-probes
>> Link       : 
>>http://tracker.bro-ids.org/bro/changeset/20fe4788fa96a8855d0dc1ce4c12576d
>>01dea3d8/bro
>> 
>>> ---------------------------------------------------------------
>> 
>> commit 20fe4788fa96a8855d0dc1ce4c12576d01dea3d8
>> Author: Gilbert Clark <gc355804 at ohio.edu>
>> Date:   Thu Jul 12 19:39:51 2012 -0400
>> 
>>    OSX support for dtrace built into bro.  Probes supported are:
>> 
>>    bro_script -- builtin_entry, builtin_return, function_entry,
>>function_return
>>> Offers support for bro script-land tracing (via --enable-dtrace
>>>configure option).
>> 
>>    bro_checkpoint -- fire, clear
>>> Meant to support incremental statistics (e.g. time elapsed between two
>>>checkpoints).
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: bro-trace.d
Type: application/octet-stream
Size: 901 bytes
Desc: bro-trace.d
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20120713/738b57c4/attachment.obj

More information about the bro-dev mailing list