[Bro-Dev] Trouble with getting Bro 2.2 private analyzer to write logs on current master
James Swaro
james.swaro at gmail.com
Wed Jun 17 14:10:19 PDT 2015
1285862632.803262/1434571577.132267 [dpd] TCPRS[101422] DeliverPacket(0, T,
9005, 0x7fff0d41bf80, 0) []
1285862632.803262/1434571577.132274 [dpd] TCP_ApplicationAnalyzer ignoring
DeliverPacket(0, T, 9005, 0x7fff0d41bf80, 0) []
Are these two lines related? I'm stuck. I've run bro with GDB attached
using a simple trace file and TCPRS_Analyzer::DeliverPacket never seems to
be entered.
On Wed, Jun 17, 2015 at 1:26 PM, James Swaro <james.swaro at gmail.com> wrote:
> In Analyzer.cc, there is a quick check for 'if (skip)' . How does this
> variable get set?
>
> On Wed, Jun 17, 2015 at 10:30 AM, James Swaro <james.swaro at gmail.com>
> wrote:
>
>> If I understand the patch correctly, it would only cause problems for
>> connections with over 2GB of data payload, but I think it should work fine
>> for a small trace of say 200KB. I'm not seeing any events at all, nor am I
>> seeing the log files that should be created when using the analyzer.
>>
>> I'll correct the functions and test it out though.
>>
>> On Wed, Jun 17, 2015 at 10:10 AM, Vlad Grigorescu <vlad at grigorescu.org>
>> wrote:
>>
>>> On Wed, Jun 17, 2015 at 9:45 AM, James Swaro <james.swaro at gmail.com>
>>> wrote:
>>>
>>>> > Just a guess, but it could be related to this:
>>>> https://github.com/bro/bro/blob/master/CHANGES#L1578
>>>> I'm looking, but nothing seems to pop out at me.
>>>>
>>>> > The other big change was moving to plugins, but if you're seeing it
>>>> added as a child analyzer, that doesn't sound like it'd be the issue.
>>>> It seems to be ok. Did data delivery change from DeliverPacket to
>>>> something else?
>>>>
>>>> > Was this analyzer written in BinPAC, or in C++?
>>>> It was written in C++.
>>>>
>>>
>>> Well, what I meant with that change was that the functions used for data
>>> delivery changed. Specifically:
>>>
>>> Analyzer::{NextPacket, NextUndelivered, ForwardPacket,
>>> ForwardUndelivered, DeliverPacket, Undelivered} were modified to change the
>>> int seq parameter to a uint64. If your functions aren't updated, and are
>>> expecting a plain old int for the sequence number, I've seen the scenario
>>> you describe: the analyzer attaches, but doesn't function.
>>>
>>> --Vlad
>>>
>>>
>>
>>
>> --
>> James Swaro
>>
>>
>>
>
>
> --
> James Swaro
>
>
>
--
James Swaro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20150617/7f89d67b/attachment.html
More information about the bro-dev
mailing list