Bro Question
Vern Paxson
vern at ee.lbl.gov
Fri Feb 4 08:48:52 PST 2000
> I'm using the suggested filter, i.e.:
>
> ./bro -f "((tcp[13] & 0x7 != 0) or \
> port telnet or tcp port 513 or port finger or port 111 or tcp port 113 or \
> port ftp or dst port 8000 or \
> (tcp and (ip[6:2] & 0x3fff != 0)))" \
> -i hme0 mt
>
> Looking at the top stats for the system, top gives:
>
> load averages: 1.00, 1.01, 1.01 00:15:11
> 22 processes: 20 sleeping, 1 running, 1 on cpu
> CPU states: 0.0% idle, 99.8% user, 0.2% kernel, 0.0% iowait, 0.0% swap
> Memory: 256M real, 76M free, 13M swap in use, 424M swap free
>
> PID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND
> 3172 root 1 40 0 4216K 3736K run 22.9H 99.51% bro
Very strange. The next thing to do is attach a debugger to it when it's
running and see where it is. But you might also want to try the Bro
0.7a10 snapshot:
ftp://ftp.ee.lbl.gov/.vp-bro-pub-0.7a10.tar.gz
which may have already fixed the problem (there were some bugs in which
certain sequences of packets could make Bro loop or crash). This is a
0.7 pre-release and so doesn't include discussion of what has changed,
so not really ready for general use, though others who want to play with
it now can go ahead and fetch it. As usual, please don't redistribute it
further, instead point people at me for further copies.
Vern
More information about the Bro
mailing list