[Bro] Bro 1.4, bropipe and MacOS
Stephen Chan
sychan at lbl.gov
Wed Jan 14 14:45:49 PST 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Has anyone built and run bropipe under Bro 1.4 on MacOS 10.5.6?
Bro and broccoli built and installed happily, and bropipe also
built cleanly (after requiring that libstdc++ be explicitly put in the
linker files, what's up with that?)
But when I try to have bropipe connect to a local Bro instance, it
fails to connect. In fact, it doesn't even seem to get to the point
where it tries to open the tcp connection. Nothing shows up on a
tcpdump (a telnet to the same port shows traffic getting through).
A system call trace of the program (run with "./bropipe -df -
host=127.0.0.1") gives this after the executable is pretty close to
being done with loading libraries:
open("/usr/local/bro/lib/libbroccoli.2.dylib\0", 0x0, 0x0) = 3 0
pread(0x3, "\316\372\355\376\a\0", 0x1000, 0x0) = 4096 0
mmap(0x22000, 0x10000, 0x5, 0x12, 0x3, 0x100000000) = 0x22000 0
mmap(0x32000, 0x1000, 0x3, 0x12, 0x3, 0x100000000) = 0x32000 0
mmap(0x33000, 0x1000, 0x7, 0x12, 0x3, 0x100000000) = 0x33000 0
mmap(0x34000, 0xF950, 0x1, 0x12, 0x3, 0x100000000) = 0x34000 0
fcntl(0x3, 0x2C, 0xFFFFFFFFBFFFB994) = 0 0
fcntl(0x3, 0x2C, 0xFFFFFFFFBFFFB994) = 0 0
fcntl(0x3, 0x2C, 0xFFFFFFFFBFFFB994) = 0 0
close(0x3) = 0 0
stat("/usr/lib/libstdc++.6.dylib\0", 0xBFFFD408,
0xFFFFFFFFBFFFB994) = 0 0
stat("/usr/lib/libgcc_s.1.dylib\0", 0xBFFFD408, 0xFFFFFFFFBFFFB994)
= 0 0
stat("/usr/lib/libSystem.B.dylib\0", 0xBFFFD408,
0xFFFFFFFFBFFFB994) = 0 0
stat("/usr/lib/libssl.0.9.7.dylib\0", 0xBFFFD2F8,
0xFFFFFFFFBFFFB994) = 0 0
stat("/usr/lib/libcrypto.0.9.7.dylib\0", 0xBFFFD2F8,
0xFFFFFFFFBFFFB994) = 0 0
stat("/usr/lib/system/libmathCommon.A.dylib\0", 0xBFFFCF48,
0xFFFFFFFFBFFFB994) = 0 0
open("/dev/dtracehelper\0", 0x2, 0xBFFFE444) = 3 0
ioctl(0x3, 0x80086804, 0xBFFFE3C8) = 0 0
close(0x3) = 0 0
__sysctl(0xBFFFE29C, 0x2, 0xBFFFE2A4) = 0 0
bsdthread_register(0x92F4EF30, 0x92F872A4, 0x1000) = 0 0
open_nocancel("/dev/urandom\0", 0x0, 0x0) = 3 0
read_nocancel(0x3, "=x\2006F\005\222\236y\0", 0x20) = 32 0
close_nocancel(0x3) = 0 0
mmap(0x0, 0x3000, 0x3, 0x1002, 0x1000000, 0x100000000) = 0x44000 0
mmap(0x0, 0x200000, 0x3, 0x1002, 0x7000000, 0x100000000) =
0x47000 0
munmap(0x47000, 0xB9000) = 0 0
munmap(0x200000, 0x47000) = 0 0
mmap(0x0, 0x3000, 0x3, 0x1002, 0x1000000, 0x100000000) = 0x47000 0
getpid(0x0, 0x3000, 0x3) = 5743 0
select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0
select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0
select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0
[more selects ]
select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0
select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0
could not connect to Bro at host=127.0.0.1:.
Will try again in 5 seconds
select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0
write_nocancel(0x2, "could not connect to Bro at
host=127.0.0.1:.\n\0", 0x2D) = 45 0
write_nocancel(0x2, "Will try again in 5 seconds \n\0", 0x1D)
= 29 0
select(0x0, 0x0, 0x0, 0x0, 0xBFFFF468) = 0 0
It looks like the call to bro_conn_connect() at bropipe.cc:212 is
getting stalled somehow.
Has anyone else seen this? Is there something really obvious that
I'm overlooking? Packet filters are ruled out, and nothing in the logs
indicate that the system is seeing any activity. Basically the
bro_conn_connect() call just seems to chase it's tail around for a bit
and then return, without attempting a tcp connect.
Thanks,
Steve
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkluax0ACgkQcVd2YI1BWAgOfgCeIAk7AEC/LPmCBpm8fAZXRRT5
U/YAn3kC0+fTW1F79UBoNb9djMkMW0oN
=9mhA
-----END PGP SIGNATURE-----
More information about the Bro
mailing list