How can I do report cyclically

Fri Nov 9 00:49:08 PST 2001

> I would like to have reports cyclically of my network usage beside the
> intrusion detection, so I have a short script like the attached file.
> Unfortunatelly, bro seems do nothing with reporting. It isn't documented, so
> can you draw me a way of doing that?

Your script has the right idea.  The main thing missing is that "schedule"
only schedules an event to occur once, so you need to reschedule it if 
you want it to repeat.  So change:

	event report_status()
	{
		local res = resource_usage();

		log fmt("Up time: %s; Max used memory ..."
	}

to:

	event report_status()
	{
		local res = resource_usage();

		log fmt("Up time: %s; Max used memory ..."

		schedule +1min { report_status() };
	}

The other problem you may be running into is that Bro uses the
timestamps of the incoming packet stream as its clock.  So if the
packet filter isn't accepting any packets, then "time" doesn't
in fact advance, and timers don't expire.  (Clearly, this is a
deficiency.)  So that may be why you never got any output at all.

Also, a note.  You extended the existing bro_init() to schedule
the event:

	event bro_init()
	{
		if ( restrict_filter == "" && capture_filter == "" )
			print "tcp or not tcp";
		else if ( restrict_filter == "" )
			print capture_filter;
		else if ( capture_filter == "" )
			print restrict_filter;
		else
			print fmt("(%s) and (%s)", capture_filter, restrict_filter);

		schedule +1 min { report_status() };
	}

but it works just as well to instead define a *new* bro_init event handler:

	event bro_init()
		{
		schedule +1 min { report_status() };
		}

This handler will be invoked *in addition* to the already existing one.

		Vern