[Bro-Dev] Trouble with getting Bro 2.2 private analyzer to write logs on current master

James Swaro james.swaro at gmail.com
Wed Jun 17 08:30:05 PDT 2015

If I understand the patch correctly, it would only cause problems for
connections with over 2GB of data payload, but I think it should work fine
for a small trace of say 200KB. I'm not seeing any events at all, nor am I
seeing the log files that should be created when using the analyzer.

I'll correct the functions and test it out though.

On Wed, Jun 17, 2015 at 10:10 AM, Vlad Grigorescu <vlad at grigorescu.org>

> On Wed, Jun 17, 2015 at 9:45 AM, James Swaro <james.swaro at gmail.com>
> wrote:
>> > Just a guess, but it could be related to this:
>> https://github.com/bro/bro/blob/master/CHANGES#L1578
>> I'm looking, but nothing seems to pop out at me.
>> > The other big change was moving to plugins, but if you're seeing it
>> added as a child analyzer, that doesn't sound like it'd be the issue.
>> It seems to be ok. Did data delivery change from DeliverPacket to
>> something else?
>> > Was this analyzer written in BinPAC, or in C++?
>> It was written in C++.
> Well, what I meant with that change was that the functions used for data
> delivery changed. Specifically:
> Analyzer::{NextPacket, NextUndelivered, ForwardPacket, ForwardUndelivered,
> DeliverPacket, Undelivered} were modified to change the int seq parameter
> to a uint64. If your functions aren't updated, and are expecting a plain
> old int for the sequence number, I've seen the scenario you describe: the
> analyzer attaches, but doesn't function.
>   --Vlad

James Swaro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20150617/7a7cee7c/attachment.html 

More information about the bro-dev mailing list