[Bro] Offline trace: segmentation fault
Shoey Fighter
shoeyfighter at gmail.com
Thu May 29 22:04:55 PDT 2008
1) Yes, if I use tcpdump -r on the trace it spits out the packets
fine. One thing I noticed is that many of the packets are truncated
(listed as IP truncated-ip), and the number of bytes missing is not
homogenous between the truncated packets. Could this be the problem?
2) I tried: 10000, 1000, 100, 10, 1 and none worked. I noticed that
the first packet has the "IP truncated-ip" message. Is there a way to
skip some n number of packets?
I have included a 100 packet sample if it helps.
Thanks.
On Thu, May 29, 2008 at 7:37 PM, Vern Paxson <vern at icir.org> wrote:
> (1) Can you read the trace successfully using tcpdump?
>
> (2) If so, what's the shortest subset of it that causes Bro to crash?
> You can generate short subsets using tcpdump -c <pkt-cnt> to extract
> just the first <pkt-cnt> packets.
>
> (3) (And if you can't read it with tcpdump, then the problem is elsewhere ...)
>
> Vern
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.pcap
Type: application/octet-stream
Size: 7624 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080529/6fafa708/attachment.obj
More information about the Bro
mailing list