[Bro-Dev] Trouble with getting Bro 2.2 private analyzer to write logs on current master

James Swaro james.swaro at gmail.com
Wed Jun 17 11:26:30 PDT 2015

In Analyzer.cc, there is a quick check for  'if (skip)' . How does this
variable get set?

On Wed, Jun 17, 2015 at 10:30 AM, James Swaro <james.swaro at gmail.com> wrote:

> If I understand the patch correctly, it would only cause problems for
> connections with over 2GB of data payload, but I think it should work fine
> for a small trace of say 200KB. I'm not seeing any events at all, nor am I
> seeing the log files that should be created when using the analyzer.
> I'll correct the functions and test it out though.
> On Wed, Jun 17, 2015 at 10:10 AM, Vlad Grigorescu <vlad at grigorescu.org>
> wrote:
>> On Wed, Jun 17, 2015 at 9:45 AM, James Swaro <james.swaro at gmail.com>
>> wrote:
>>> > Just a guess, but it could be related to this:
>>> https://github.com/bro/bro/blob/master/CHANGES#L1578
>>> I'm looking, but nothing seems to pop out at me.
>>> > The other big change was moving to plugins, but if you're seeing it
>>> added as a child analyzer, that doesn't sound like it'd be the issue.
>>> It seems to be ok. Did data delivery change from DeliverPacket to
>>> something else?
>>> > Was this analyzer written in BinPAC, or in C++?
>>> It was written in C++.
>> Well, what I meant with that change was that the functions used for data
>> delivery changed. Specifically:
>> Analyzer::{NextPacket, NextUndelivered, ForwardPacket,
>> ForwardUndelivered, DeliverPacket, Undelivered} were modified to change the
>> int seq parameter to a uint64. If your functions aren't updated, and are
>> expecting a plain old int for the sequence number, I've seen the scenario
>> you describe: the analyzer attaches, but doesn't function.
>>   --Vlad
> --
> James Swaro

James Swaro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20150617/82b3a895/attachment.html 

More information about the bro-dev mailing list