[Bro] Bro SMB and segfaulting

[John Donnelly]

You could build Bro with debug.
  rm -rf build.
  ./configure --enable-debug
   make install

 Start bro with your setup and use gdb to attach to the running process :

     gdb -p <pid of bro >

When it segfaults .. gdb will wake up and you can post the trace using "t"
command (stack trace) .



On Fri, Dec 19, 2014 at 9:52 AM, Mike Reeves <luke at geekempire.com> wrote:
>
> Hey all!
>
>         I compiled Vlad’s topic from github to try it out. It runs fine on
> low speed environments but when I drop it on a high speed sensor it blows
> up. The link the sensor is on runs at between 600Mbit and 2.5Gbit. When I
> was doing the testing it was running at around 700Mbit and 1.7M PPS. Normal
> Bro 2.3.1 runs fine with no traffic being dropped at the ring. I am running
> pf_ring vanilla. The box runs 1 manager, 2 proxies, and 10 workers. The box
> is a dual 10 core HT with 128GB of RAM. All workers are pinned to real
> processors. The sensor starts and begins writing logs and then the disk IO
> goes to 100% and stops writing. It also starts dropping packets from the
> ring immediatly. Then the workers segfault and I have to stop it because
> when they go into crazy town they tie up the disk IO. The conn log and the
> syslog.log are much larger than the smb logs. I tried turning off logging
> on some of the other busy log files in case it is a disk IO problem. It
> didn’t make a difference. I write a LOT of logs on normal 2.3.1 and the IO
> usage is ver low.
>
> Has anyone had any luck running the SMB analyzer on high a high speed
> link? Is there anything I can provide to help figure out the root cause?
>
> Thanks
>
> Mike
> @TOoSmOotH
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141220/7089b82d/attachment.html