[Bro-Dev] [Bro] ActiveHTTP

Seth Hall seth at icir.org
Wed Feb 1 07:00:23 PST 2017

> On Jan 28, 2017, at 9:15 AM, Dave Crawford <bro at pingtrip.com> wrote:
> And the second print doesn’t execute:
> $ bro -r test.pcap local ../test.bro 
> Entering the ActiveHTTP::Request when() block...
> I have ‘exit_only_after_terminate’ set to true so it just hangs at this point until I ctrl-c and I see the tmp files deleted.

Following on this ticket from the main Bro list, I wonder if we could change the behavior of Bro slightly to make what Dave tried work?  I *think* the problem here is that once the packets run out, Bro's internal clock stops moving forward which causes all sorts of trouble for timers and other stuff I'm sure.

What does everyone think about making the clock continue to move forward even after the packet source runs dry?  This especially makes sense when someone uses pseudo-realtime because we can keep moving the clock at the rate it was moving (but not jump to current time, we'd just do subtraction based on the time when the packet source ran dry).  The main problem I see with this idea is if someone reads a PCAP at full speed, what rate do we make the clock continue ticking?

Does this idea make sense at all?  I think we've had too many new Bro programmers get frustrated with this behavior which worries me a little bit.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the bro-dev mailing list