From magnus.anderssen at orange.ch Fri Jun 1 00:26:14 2001 From: magnus.anderssen at orange.ch (Anderssen Magnus) Date: Fri, 1 Jun 2001 09:26:14 +0200 Subject: method for clean-up Message-ID: <130F25996DF0D411A9970002A513A71E4DC5F3@VDLAEXC7> Hi again, I found the answer for my question. I forgot, in my GTP_Tunnel class, to make it inherit from the BroObj class! Now it exits fine... Magnus Anderssen. > -----Original Message----- > From: Anderssen Magnus > Sent: Wednesday, May 30, 2001 7:17 PM > To: 'bro at lbl.gov' > Subject: method for clean-up > > Hi, > > I am making a module for Bro to track some specific UDP traffic... > I've an object (GTP_Conn) inheritating from UDP_Conn instantiated in > Session.cc. > I'm using a Dictionary, like the one used for the tcp_conns, udp_conns > variables. > I've created a custom key, the lookup works so I suppose the dictionary > works well. > > this is how I created the dictionary: > > declare(PDict, GTP_Tunnel); // GTP_Tunnel is the class type of my > custom object > ... > PDict(GTP_Tunnel) tunnels; > ... > tunnels.SetDeleteFunc(bro_obj_delete_func); // just copied this > from the > // tcp_conns exemple > > > This is what I get when shuting down after simulating 1 packet: > -- > ...... received termination signal > 1 packets received on interface lo0, 0 dropped > > Abort (core dumped) > -- > This is what I get when shuting down after simulating a lot of packet BUT > only one GTP_Tunnel instance... > -- > ...... received termination signal > 92854 packets received on interface lo0, 0 dropped > > /: write failed, file system full > Abort > -- > Note : I have inserted printfs in all the destructors, it seems that the > destructors of the tunnel instance(s) and of the variable 'tunnels' are > not > called, but GTP_Conn's one are called. > > Magnus. From kerberos_007 at hotmail.com Wed Jun 6 20:45:01 2001 From: kerberos_007 at hotmail.com (kerberos kkk) Date: Wed, 06 Jun 2001 23:45:01 -0400 Subject: Error while compiling bro Message-ID: The bro version i am using is bro-0.7a48 and platform is OpenBSD park 2.8 GENERIC#399 i386 I am getting the following error while trying to compile bro: Any pointers will be helpful. thanks a lot >>make c++ -o bro main.o net_util.o parse.o scan.o re-parse.o re-scan.o util.o Attr.o BackDoor.o BroString.o CCL.o CompHash.o Conn.o DFA.o Desc.o Dict.o Discard.o DNS.o EquivClass.o Event.o Expr.o File.o Finger.o Frag.o Frame.o FTP.o Func.o Hash.o HTTP.o ICMP.o ID.o Ident.o InterConn.o List.o Logger.o Login.o NFA.o NVT.o Net.o NetVar.o Obj.o OtherTCP.o PktSrc.o Portmap.o PriorityQueue.o Queue.o Reassem.o Rlogin.o RE.o RPC.o Scope.o Sessions.o SteppingStone.o Stmt.o TCP.o Telnet.o Timer.o Type.o UDP.o Val.o Var.o XDR.o cq.o nb_dns.o setsignal.o version.o -Lbind8/lib -lbind ../libpcap-0.4/libpcap.a -lm setsignal.o: Undefined symbol `_sigset' referenced from text segment collect2: ld returned 1 exit status *** Error code 1 _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com From vern at ee.lbl.gov Sun Jun 17 23:39:47 2001 From: vern at ee.lbl.gov (Vern Paxson) Date: Sun, 17 Jun 2001 23:39:47 PDT Subject: Error while compiling bro In-Reply-To: Your message of Wed, 06 Jun 2001 23:45:01 PDT. Message-ID: <200106180639.f5I6dlC27871@daffy.ee.lbl.gov> > The bro version i am using is bro-0.7a48 and platform is > OpenBSD park 2.8 GENERIC#399 i386 > > I am getting the following error while trying to compile bro: > Any pointers will be helpful. > ... > setsignal.o: Undefined symbol `_sigset' referenced from text segment > collect2: ld returned 1 exit status Does OpenBSD lack sigset()? If so, then you'll need to figure out why the autoconf configure script is defining HAVE_SIGSET. Vern From magnus.anderssen at orange.ch Fri Jun 22 06:35:12 2001 From: magnus.anderssen at orange.ch (Anderssen Magnus) Date: Fri, 22 Jun 2001 15:35:12 +0200 Subject: interval to double Message-ID: <130F25996DF0D411A9970002A513A71E4DC6CF@VDLAEXC7> Hi, I need to compare an amount of packet with what becomes an interval. Let me explain: I have: - a packet counter - an interval - a threshold of packet per second. When I multiplie the interval with the threshold the result is an interval. I want to compare the result with the counter (of count type). Is there a converter (interval->count/int) or a smarter way to do it? Thanks in advance. Magnus. From tom_ada at hotmail.com Fri Jun 22 21:20:18 2001 From: tom_ada at hotmail.com (thomas thomas) Date: Sat, 23 Jun 2001 04:20:18 -0000 Subject: bro -w option Message-ID: Hi, When is the -w option useful ? What is the real need to write the traffic to a tcpdump file if we are analysing it already regards tom _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com From vern at ee.lbl.gov Sat Jun 23 02:03:55 2001 From: vern at ee.lbl.gov (Vern Paxson) Date: Sat, 23 Jun 2001 02:03:55 PDT Subject: bro -w option In-Reply-To: Your message of Sat, 23 Jun 2001 04:20:18 PDT. Message-ID: <200106230903.f5N93tf17332@daffy.ee.lbl.gov> > When is the -w option useful ? > What is the real need to write the traffic to a tcpdump file if we are > analysing it already It can be very useful to be able to analyze traffic off-line in order to explore changes to policy scripts. For operational use, my experience is it's rare to wind up going to the trace file, so if the disk space is a problem, skipping it should generally be okay. Vern From vern at ee.lbl.gov Sat Jun 23 02:07:15 2001 From: vern at ee.lbl.gov (Vern Paxson) Date: Sat, 23 Jun 2001 02:07:15 PDT Subject: interval to double In-Reply-To: Your message of Fri, 22 Jun 2001 15:35:12 PDT. Message-ID: <200106230907.f5N97F817342@daffy.ee.lbl.gov> > I have: > - a packet counter > - an interval > - a threshold of packet per second. > > When I multiplie the interval with the threshold the result is an interval. > I want to compare the result with the counter (of count type). > > Is there a converter (interval->count/int) or a smarter way to do it? Ouch, no, there's no real way to do this. Probably the easiest solution would be to add interval<->double converters. This is actually simple to do, if you look in Func.cc at how bro_to_net is defined and exported, and do the analogous operations. Vern From tom_ada at hotmail.com Mon Jun 25 13:24:47 2001 From: tom_ada at hotmail.com (thomas thomas) Date: Mon, 25 Jun 2001 20:24:47 -0000 Subject: link error while compiling Message-ID: Hi, I am using bro version 0.7a62 and openBSD 2.8 I was using libpcap-0.4 and everything was compiling perfectly. Now i moved to libpcap-0.6.2 and it give this link error while compiling. I changed the libpcap and again it works perfectly. regards tom c++ -o bro main.o net_util.o parse.o scan.o re-parse.o re-scan.o util.o Attr.o BackDoor.o BroString.o CCL.o CompHash.o Conn.o DFA.o Desc.o Dict.o Discard.o DNS.o EquivClass.o Event.o Expr.o File.o Finger.o Frag.o Frame.o FTP.o Func.o Hash.o HTTP.o ICMP.o ID.o Ident.o InterConn.o List.o Logger.o Login.o NFA.o NVT.o Net.o NetVar.o Obj.o PktSrc.o Portmap.o PriorityQueue.o Queue.o Reassem.o Rlogin.o RE.o RPC.o Scope.o Sessions.o SteppingStone.o Stmt.o TCP.o Telnet.o Timer.o Type.o UDP.o Val.o Var.o XDR.o cq.o nb_dns.o setsignal.o version.o -Lbind8/lib -lbind ../libpcap-0.6.2/libpcap.a -lm parse.o: Definition of symbol `_yylhs' (multiply defined) parse.o: Definition of symbol `_yylen' (multiply defined) parse.o: Definition of symbol `_yydefred' (multiply defined) parse.o: Definition of symbol `_yydgoto' (multiply defined) parse.o: Definition of symbol `_yysindex' (multiply defined) parse.o: Definition of symbol `_yyrindex' (multiply defined) parse.o: Definition of symbol `_yygindex' (multiply defined) parse.o: Definition of symbol `_yytable' (multiply defined) parse.o: Definition of symbol `_yycheck' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yylhs' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yylen' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yydefred' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yydgoto' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yysindex' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yyrindex' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yygindex' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yytable' (multiply defined) ../libpcap-0.6.2/libpcap.a(grammar.o): Definition of symbol `_yycheck' (multiply defined) collect2: ld returned 1 exit status *** Error code 1 _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com From vern at ee.lbl.gov Mon Jun 25 15:18:55 2001 From: vern at ee.lbl.gov (Vern Paxson) Date: Mon, 25 Jun 2001 15:18:55 PDT Subject: link error while compiling In-Reply-To: Your message of Mon, 25 Jun 2001 20:24:47 PDT. Message-ID: <200106252218.f5PMItB24389@daffy.ee.lbl.gov> > Now i moved to libpcap-0.6.2 and it give this link error while compiling. > > I changed the libpcap and again it works perfectly. It appears that your libpcap-0.6.2 was compiled using a version of yacc that doesn't support -p. If you can easily remedy that (say by using bison), that should do the trick. Since your libpcap-0.4 doesn't have this problem, it seems likely your system has the necessary flavor of yacc, but for some reason ./configure didn't find it when building libpcap. Vern From athomas at unity.ncsu.edu Thu Jun 28 15:01:24 2001 From: athomas at unity.ncsu.edu (ashley thomas) Date: Thu, 28 Jun 2001 17:01:24 -500 Subject: Sequential access using 'for' In-Reply-To: <200106251955.f5PJtvw23770@daffy.ee.lbl.gov> Message-ID: <200106282101.RAA10459@uni03wi.unity.ncsu.edu> > > - There's now a "for" statement to iterate over the indices of > a table or the members of a set: > > for ( i in foo ) > > for the above "foo" will iterate with i assigned to 1, 2, and 3; > *but not in general in that order*. > I need to traverse the table sequentially (upwards and downwards). However it seems that the 'for' command does not do that. Did you mean the same thing when you said : "*but not in general in that order*" Also is there any workaround so that i can access the table sequentially. regards Ashley > Since "for" construct was not there in bro, i was using "recursive" > function calls in my script. > But now that "for" loop construct is there, i can use that. > > I want to know how much will i gain by doing that. because presently i am using 0.7a48 and i have to do some additional changes to 0.7a62 before i can use that. > > I am using the recursive call for almost 512 rounds. so i guess there will be a tremendous change if i use for loop instead , right ? The for loop ought to be a lot more efficient, yes. But what you gain will of course depend on how much your performance is currently dominated by the recursive calls. Vern Ashley Thomas 1713 Crest road #1 Raleigh NC 27606 phone (919)-829-3576 From vern at ee.lbl.gov Thu Jun 28 21:51:19 2001 From: vern at ee.lbl.gov (Vern Paxson) Date: Thu, 28 Jun 2001 21:51:19 PDT Subject: Sequential access using 'for' In-Reply-To: Your message of Thu, 28 Jun 2001 17:01:24. Message-ID: <200106290451.f5T4pJB07164@daffy.ee.lbl.gov> > I need to traverse the table sequentially (upwards and downwards). > However it seems that the 'for' command does not do that. Right, it doesn't. (It's also not clear what "sequentially" means for some types of table indexes, for example address/port pairs.) What particular problem are you trying to solve? I ask because that'll help me think about what sort of mechanism to add to support it. Vern