[Bro] warning: Unmatched end of data

Nikns Siankin nikns at secure.lv
Fri Mar 9 02:32:38 PST 2007


On Fri, Mar 02, 2007 at 03:17:30PM +0100, Matthias Vallentin wrote:
>On Fri, Mar 02, 2007 at 03:49:21PM +0200, Nikns Siankin wrote:
>> Hello!
>> Bro runs on live interface.
>> Got following warnings, what do they mean?
>> 
>> # BROPATH=/usr/local/policy/ bro -f tcp -i fxp1 brolite
>> bro:/usr/lib/libc.so.39.3: /usr/local/lib/libbind.so.2.0 : WARNING: symbol(__p_class_syms) size 
>> mismatch, relink your program
>> bro:/usr/lib/libc.so.39.3: bro : WARNING: symbol(_res) size mismatch, relink your program
>> bro:/usr/lib/libc.so.39.3: /usr/local/lib/libbind.so.2.0 : WARNING: symbol(__p_type_syms) size 
>> mismatch, relink your program
>> pcap bufsize = 32768
>> listening on fxp1
>> 1172677797.973010 warning: Unmatched end of data
>> 1172682221.064469 warning: Unmatched end of data
>> 1172686653.318668 warning: Unmatched end of data
>> 1172694350.686900 warning: Unmatched end of data
>> 1172804317.999561 warning: Unmatched end of data
>
>Hello Nikns!
>
>To help you further debugging, it would be great if you could provide a
>little bit more information about (i) your Bro version and (ii) your
>environment (architecture, os, etc.).
>
>Please use the latest Bro version unless you have a certain reason not to do
>so. Assuming that you are using FreeBSD, you also want to tweak the bpf
>buffer sizes; add the following to your /etc/sysctl.conf:
>
>net.bpf.maxbufsize=8388608
>net.bpf.bufsize=4194304

Thanks, did so, but got warning anyway:
[...]
pcap bufsize = 4194304
listening on fxp1
1173366784.729356 warning: Unmatched end of data

I am on OpenBSD 4.0, bro 1.2.1.

Am I droping packets? CPU is ~80% idle.

BTW: Could it be so, that I have IP addresses in ssh.log,
which hasn't in conn.log? sounds weird. I thought every connection
is logged in conn.log....


Thanks!



>
>   Matthias
>-- 
>Matthias Vallentin
>vallentin at icsi.berkeley.edu
>pgp/gpg: 0x37F34C16
>_______________________________________________
>Bro mailing list
>bro at bro-ids.org
>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list