[Bro-Dev] Bro 2.6-beta plans
Azoff, Justin S
jazoff at illinois.edu
Thu Sep 6 13:34:52 PDT 2018
> On Sep 6, 2018, at 4:19 PM, Jon Siwek <jsiwek at corelight.com> wrote:
>
> On Thu, Sep 6, 2018 at 3:14 PM Azoff, Justin S <jazoff at illinois.edu> wrote:
>
>
>> I tested an almost stock local.bro (a few additional things disabled) and saw the same thing.
>>
>> fa7fa5aa is fine, but with 452eb0cb everything is working really hard to do something.
>
> Thanks for that, I'll start looking into it, but still would be
> helpful if you could try disabling message forwarding (or disable ssl
> + look at some captured traffic to see if you can understand what
> might be happening). Thanks.
>
> - Jon
Yeah, that fixed it!
I re-enabled that and then disabled ssl and I am looking at the comm stuff going to the logger, which should just be logs
This seems to work for basic quick analysis:
[root at bro40-dev ~]# tcpdump -n -i em1 port 47761 -A|sed "s/\.\.\.\.\./\n/g"|egrep -io broker.* |head -n 10000|sort|uniq -c|sort -nr
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
tcpdump: Unable to write output: Broken pipe
8842 broker::topic+broker::internal_command+ at u32.bro/known/certs/<$>/data/clone
1124 broker::topic+broker::internal_command+ at u32.bro/known/hosts/<$>/data/clone
8 broker::internal_command+ at u32.bro/known/certs/<$>/data/clone
5 broker::topic+broker::internal_command+@
—
Justin Azoff
More information about the bro-dev
mailing list