[Bro] broccoli tests

Christian Kreibich christian at whoop.org
Sun Jun 12 18:54:51 PDT 2005


On Wed, 2005-06-08 at 16:44 -0500, Mike Muratet wrote:
> Christian
> 
> I have been looking at brocolli debug output for broping and the related 
> tcpdump files and bro logs. Using the timestamps I have followed the request 
> to bro for 'ping' and I can see in the bro log that 'ping' was received. 
> There's nothing in the logs about sending 'pong', and so far I haven't been 
> able to locate that part of the bro code by grep'ing "ping".

Both the ping and pong events are exclusively defined and handled in
broping.bro:

event ping(src_time: time, seq: count)
        {
        event pong(src_time, current_time(), seq);
        }

event pong(src_time: time, dst_time: time, seq: count)
        {
        print ping_log, fmt("ping received, seq %d, %f at src, %f at dest, one-way: %f",
                            seq, src_time, dst_time, dst_time-src_time);
        }

broping-record.bro does the same thing, using record types.

> However, I can 
> see in the tcpdump data that there is a response at the appropriate time 
> (even if I don't understand the payload info). Looking at the broccoli 
> output, it appears that it tries repeatedly to read a buffer in sets of 20 
> attempts, and finally gives up. If you (or anyone on the list) can point me 
> to the write part of bro, I'll look there to see if it's sending 'pong'.

Well ... after looking at the ASCII output of tcpdump you sent me, I can
say that the only thing that gets sent back to broping from Bro are TCP
acks, but no actual payload whatsoever. We'll need to look at the Bro
debugging output to figure out why it's not sending anything.

Cheers,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org





More information about the Bro mailing list