[Bro] broccoli tests

scott campbell scampbell at lbl.gov
Mon Jun 6 11:17:27 PDT 2005 

When I am not certain if communications are working (or more precisely
where they are failing) I run tcpdump on localhost and look at the payload.

Use flags like: tcpdump -n -i lo -s1500 -X port 47758

or something equivalent.  You should see:

> tcpdump: listening on lo
> 11:14:52.033801 127.0.0.1.32814 > 127.0.0.1.47758: P 3223603527:3223603715(188) ack 3222363924 win 32767 <nop,nop,timestamp 600132 598183> (DF)
> 0x0000   4500 00f0 58f9 4000 4006 e30c 7f00 0001        E...X. at .@.......
> 0x0010   7f00 0001 802e ba8e c024 4947 c011 5f14        .........$IG.._.
> 0x0020   8018 7fff fee4 0000 0101 080a 0009 2844        ..............(D
> 0x0030   0009 20a7 0000 0008 0200 0000 0000 0000        ................
> 0x0040   0000 00ac 6500 0000 0470 696e 6741 d0a9        ....e....pingA..
> 0x0050   24a7 0229 1300 0000 0101 0000 0000 880b        $..)............
> 0x0060   0001 0000 0000 8a07 0013 0700 0000 0000        ................
> 0x0070   0000 0201 0000 0002 0001 0000 0000 8a01        ................
> 0x0080   0003 0200 0000 0000 0000 0373 6571 0001        ...........seq..
> 0x0090   0000 0000 8a01 0006 0300 0000 0000 0000        ................
> 0x00a0   0873 7263 5f74 696d 6500 0000 0000 0000        .src_time.......
> 0x00b0   0000 0002 0101 0000 0000 8801 0001 0000        ................
> 0x00c0   0000 8a01 0003 0200 0000 0000 0000 0001        ................
> 0x00d0   0101 0000 0000 8801 0001 0000 0000 8a01        ................
> 0x00e0   0006 0300 0000 0000 41d0 a924 a702 2774        ........A..$..'t
> 11:14:52.033837 127.0.0.1.47758 > 127.0.0.1.32814: . ack 188 win 32767 <nop,nop,timestamp 600132 600132> (DF)
> 0x0000   4500 0034 45c0 4000 4006 f701 7f00 0001        E..4E. at .@.......
> 0x0010   7f00 0001 ba8e 802e c011 5f14 c024 4a03        .........._..$J.
> 0x0020   8010 7fff 4416 0000 0101 080a 0009 2844        ....D.........(D
> 0x0030   0009 2844                                      ..(D
> 11:14:52.593017 127.0.0.1.47758 > 127.0.0.1.32814: P 1:144(143) ack 188 win 32767 <nop,nop,timestamp 600188 600132> (DF)
> 0x0000   4500 00c3 45c1 4000 4006 f671 7f00 0001        E...E. at .@..q....
> 0x0010   7f00 0001 ba8e 802e c011 5f14 c024 4a03        .........._..$J.
> 0x0020   8018 7fff feb7 0000 0101 080a 0009 287c        ..............(|
> 0x0030   0009 2844 0000 0008 0279 8d09 0000 0000        ..(D.....y......
> 0x0040   0000 007f 6500 0000 0470 6f6e 6741 d0a9        ....e....pongA..
> 0x0050   24a7 0000 0000 0000 0101 0000 0016 880b        $...............
> 0x0060   0000 0000 000b 0000 0000 0000 0000 0003        ................
> 0x0070   0101 0000 0017 8801 0001 0000 0018 8a01        ................
> 0x0080   0003 0200 0000 0000 0000 0001 0101 0000        ................
> 0x0090   0019 8801 0001 0000 001a 8a01 0006 0300        ................
> 0x00a0   0000 0000 41d0 a924 a702 2774 0101 0000        ....A..$..'t....
> 0x00b0   001b 8801 0000 0000 000f 0041 d0a9 24a7        ...........A..$.
> 0x00c0   02c2 a4                                        ...
> 11:14:52.593059 127.0.0.1.32814 > 127.0.0.1.47758: . ack 144 win 32767 <nop,nop,timestamp 600188 600188> (DF)
> 0x0000   4500 0034 58fa 4000 4006 e3c7 7f00 0001        E..4X. at .@.......
> 0x0010   7f00 0001 802e ba8e c024 4a03 c011 5fa3        .........$J..._.
> 0x0020   8010 7fff 4317 0000 0101 080a 0009 287c        ....C.........(|
> 0x0030   0009 287c                                      ..(|

You may also want to use the 'broping -r' option, since I recall a data
struct problem with the non-record based broping.

Let me know if you still have issues with this.

scott


Mike Muratet wrote:
>
> ----- Original Message ----- From: "Christian Kreibich"
> <christian at whoop.org>
> To: "Bro List" <bro at bro-ids.org>
> Sent: Friday, June 03, 2005 5:26 PM
> Subject: Re: [Bro] broccoli tests
>
>
>> On Fri, 2005-06-03 at 14:32 -0700, Christian Kreibich wrote:
>>
>>> Hi Mike,
>>>
>>> I just noticed there may be issues with connections that *don't* require
>>> synchronized access because all my latest experiments required this
>>> feature.
>>
>>
>> I've just fixed these problems in CVS and bundled up a snapshot tarball:
>>
>> http://www.cl.cam.ac.uk/~cpk25/broccoli/snapshots/broccoli-0.8.060305.tar.gz
>>
>>
>> Please use this one until 0.8 is out. I've verified that broping really
>> should work out of the box with this tarball and Bro 0.9a9. Just run bro
>> directly with broping.bro, and don't pass any arguments to broping.
>> Output from the two shells:
>>
>> $ ./bro ~/devel/Broccoli/test/broping.bro
>> 1117837283.819435 warning: event handlers never invoked:
>> 1117837283.819435 warning:       ping
>>
>> $ broping
>> pong event from 127.0.0.1: seq=0, time=0.010662/1.010452 s
>> pong event from 127.0.0.1: seq=1, time=0.008867/1.008964 s
>> pong event from 127.0.0.1: seq=2, time=0.038239/1.009833 s
>> pong event from 127.0.0.1: seq=3, time=0.009923/1.009428 s
>> pong event from 127.0.0.1: seq=4, time=0.038738/1.009980 s
>>
>> Let me know if it still doesn't work for you.
>>
>
> I'm still having trouble. Here's where I've looked for a solution:
>
> I stopped bro and used nmap to scan 47757 and 47758 and they are both
> closed. I then restarted bro with load @broping as the last line in my
> local.site.bro and repeated the scan with the result that 47757 is now
> open. The latest iana.org list shows these ports are in an 'unassigned'
> range. I am starting bro logged in a root and the bro.cfg file defines
> root as the user.
>
> The comm.log file says that bro is listening on 127.0.0.1:47757. It also
> complains on the line above this that "can't bind to port: address in
> use". I have no clue what this means, since the port scan shows those
> ports closed when bro is stopped.
>
> I looked at broping.bro, which loads listen-clear.bro which loads
> remote.bro. remote.bro defines 'default_port_clear=47757.tcp'.
> listen-clear.bro uses this value to initialize listen_port_clear.
> broping.bro checks to see if listen_port_clear is defined and if so
> redefines it to 47758. If this were successful, would not the port scan
> show 47758 as open? Running broping -d -d I see in the output that the
> connection was refused to 127.0.0.1:47758.
>
> Any suggestions how to troubleshoot the port?
>
> Thanks
>
> Mike
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050606/c89a33da/attachment.bin

More information about the Bro mailing list