[Bro-Dev] [JIRA] (BIT-1475) Exec::Run does not complete

Johanna Amann (JIRA) jira at bro-tracker.atlassian.net
Thu Sep 17 16:20:02 PDT 2015 

    [ https://bro-tracker.atlassian.net/browse/BIT-1475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22109#comment-22109 ] 

Johanna Amann commented on BIT-1475:
------------------------------------

Could you test if running bro with

{code}
bro t1.bro -r my.pcap --pseudo-realtime
{code}

or similar fixes your problem? That will start Bro in pseudo realtime mode and read in the trace as fast as it happened on the wire, inserting sleeps where necessary.

The problem seems to be that once processing of the tracefile stopped, no heartbeats are sent to the input threads anymore -- those are necessary to get the output of the command after it has been run. I am not quite sure why that happens - but I think I remember that these are triggered by input traffic (i.e. when there is no further traffic, there are no further heartbeats).

The reason that heartbeats happen when no trace is processed is the communication framework - and I think that is special-cased then.

In any case - we should probably fix this.

> Exec::Run does not complete
> ---------------------------
>
>                 Key: BIT-1475
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1475
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master, 2.3
>         Environment: Centos 6.6
>            Reporter: Aaron
>              Labels: hang
>             Fix For: 2.5
>
>         Attachments: bro.tar.gz
>
>
> I'm having trouble running an external  program in the callback function for an event when processing a pcap file.  It seems to work in bro_init, however, which confuses me. 
> The working file will print out the output of the "ls" command, whereas the not-working file will not print out anything no matter how long I wait.
> Specifically here I want to use the event when bro detects a file in the pcap.
> working.bro (ran as simply "bro working.bro"):
> {code:java}
> @load base/utils/exec
> redef exit_only_after_terminate=T;
> event bro_init()
> {
>         local t= "ls /";
>         local cmd = Exec::Command($cmd=t);
>         when (local res = Exec::run(cmd))
>         {
>                 print "hello";
>                 print res$stdout;
>         }
> }
> {code}
> notworking.bro (ran as bro -r my.pcap notworking.bro:
> {code:java}
> @load base/utils/exec
> @load base/frameworks/files
> @load base/frameworks/notice
> redef exit_only_after_terminate=T;
> event file_new(f: fa_file)
>     {
>         local t ="ls /";
>         local cmd = Exec::Command($cmd=t);
>         when (local res = Exec::run(cmd))
>         {
>                 print "hello";
>                 print res$stdout;
>         }
>     }
> {code}



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-05-005#70102)

More information about the bro-dev mailing list