[Bro-Dev] Bro working well on Mac OS High Sierra, just a couple test failures

Slagell, Adam J slagell at illinois.edu
Wed Oct 4 11:57:00 PDT 2017 

I had no problems after the upgrade to High Sierra on my “production” box, and I had no troubles compiling Bro 2.5.1 on my laptop.

I did, however, get a two errors in the test suite.

core.truncation ... failed
  % 'btest-diff output' failed unexpectedly (exit code 1)
  % cat .diag
  == File ===============================
  #separator \x09
  #set_separator	,
  #empty_field	(empty)
  #unset_field	-
  #path	weird
  #open	2017-10-04-18-48-40
  #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
  #types	time	string	addr	port	addr	port	string	string	bool	string
  1334160095.895421	-	-	-	-	-	truncated_IP	bro
  #close	2017-10-04-18-48-40
  #separator \x09
  #set_separator	,
  #empty_field	(empty)
  #unset_field	-
  #path	weird
  #open	2017-10-04-18-48-41
  #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
  #types	time	string	addr	port	addr	port	string	string	bool	string
  1334156241.519125	-	-	-	-	-	truncated_IP	bro
  #close	2017-10-04-18-48-41
  #separator \x09
  #set_separator	,
  #empty_field	(empty)
  #unset_field	-
  #path	weird
  #open	2017-10-04-18-48-41
  #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
  #types	time	string	addr	port	addr	port	string	string	bool	string
  1334094648.590126	-	-	-	-	-	truncated_IP	bro
  #close	2017-10-04-18-48-41
  #separator \x09
  #set_separator	,
  #empty_field	(empty)
  #unset_field	-
  #path	weird
  #open	2017-10-04-18-48-43
  #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
  #types	time	string	addr	port	addr	port	string	string	bool	string
  1338328954.078361	-	-	-	-	-	internally_truncated_header	-	F	bro
  #close	2017-10-04-18-48-43
  #separator \x09
  #set_separator	,
  #empty_field	(empty)
  #unset_field	-
  #path	weird
  #open	2017-10-04-18-48-43
  #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
  #types	time	string	addr	port	addr	port	string	string	bool	string
  1404148886.981015	-	-	-	-	-	bad_IP_checksumbro
  1404148887.011158	CHhAvVGS1DHFjwGM9	192.168.4.149	51293	72.21.91.29	443	bad_TCP_checksum	-	F	bro
  #close	2017-10-04-18-48-43
  == Diff ===============================
  --- /tmp/test-diff.62112.output.baseline.tmp	2017-10-04 18:48:43.000000000 +0000
  +++ /tmp/test-diff.62112.output.tmp	2017-10-04 18:48:43.000000000 +0000
  @@ -46,5 +46,6 @@
   #open XXXX-XX-XX-XX-XX-XX
   #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer
   #types	time	string	addr	port	addr	port	string	string	bool	string
  -0.000000	-	-	-	-	-	truncated_link_header	bro
  +XXXXXXXXXX.XXXXXX	-	-	-	-	-	bad_IP_checksumbro
  +XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.4.149	51293	72.21.91.29	443	bad_TCP_checksum	-	F	bro
   #close XXXX-XX-XX-XX-XX-XX
  =======================================

  % cat .stderr
  1404148887.011158 warning in /Users/slagell/Downloads/bro-2.5.1/scripts/base/misc/find-checksum-offloading.bro, line 54: Your trace file likely has invalid IP and TCP checksums, most likely from NIC checksum offloading.  By default, packets with invalid checksums are discarded by Bro unless using the -C command-line option or toggling the 'ignore_checksums' variable.  Alternatively, disable checksum offloading by the network adapter to ensure Bro analyzes the actual checksums that are transmitted.
  1404148887.011158 warning in /Users/slagell/Downloads/bro-2.5.1/scripts/base/misc/find-filtered-trace.bro, line 48: The analyzed trace file was determined to contain only TCP control packets, which may indicate it's been pre-filtered.  By default, Bro reports the missing segments for this type of trace, but the 'detect_filtered_trace' option may be toggled if that's not desired.

istate.bro-ipv6-socket ... failed
  % 'btest-bg-wait 20' failed unexpectedly (exit code 1)
  % cat .stderr
  The following processes did not terminate:
  
  bro -b ../recv.bro
  bro -b ../send.bro
  
  -----------
  <<< [72978] bro -b ../recv.bro
  received termination signal
  >>>
  <<< [72998] bro -b ../send.bro
  received termination signal
  >>>

------

Adam J. Slagell
Director, Cybersecurity & Networking Division
Chief Information Security Officer
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
www.slagell.info

"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."

More information about the bro-dev mailing list