[Bro] Troubleshooting crashes

Seth Hall seth at icir.org
Tue Sep 11 06:16:06 PDT 2012


On Sep 10, 2012, at 8:51 PM, Tritium Cat <tritium.cat at gmail.com> wrote:

> listening on eth5, capture length 8192 bytes

I see later in the email that you have the MTU on your NIC set to 9600.  You may want to add the following line to local.bro to make Bro's snap length match that.

redef snaplen = 9600;

> /usr/local/3rd-party/bro/share/broctl/scripts/run-bro: line 60: 15452 Segmentation fault      nohup $mybro $@

Hm, looks like you aren't getting stack traces.  Your OS is probably not keeping core dumps or writing them to some OS-wide core dump directory.  Change the sysctl variable for your OS to dump core files and make sure they're being dropped into the CWD prefixed with "core".

Daniel, do you think that's something that you could add to the documentation somewhere?

> bro at bc : [12:33am] : 2012-08-30 : gzcat weird.23:00:00-00:00:00.log.gz | awk '{print $7}' | sort | uniq -c | sort -rn | head -10
> 614589 data_before_established
> 585445 possible_split_routing

I'm a little curious about these two.  Normally lots of these lines indicates that something is wrong with how Bro is collecting packets.  I'm interested to find out if these go away when you adapt the snap length.  Is the MTU of your network actually 9600 or did you just set that MTU for the interface to the maximum it would allow?

> [worker-1]
> type=worker
> host=z.z.z.A
> interface=eth5 
> lb_procs=10
> lb_method=pf_ring

Nice, I don't think that many people are using the load balancing feature of BroControl yet since I don't think we have it documented.  

Daniel, did that end up getting documented anywhere?

> Yeah, I've used those recommendations from the start with one exception; the Intel X520-DA2 cards I'm using do not support disabling "ufo" (UDP large send offload).

I would think that's fine.

Thanks for all of the debugging information, it's really helpful.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list