[Bro] NO DHCP.log

[Johanna Amann]

Ok, with all that - I am basically out of ideas. Can you check that
local.bro does not contain anything that might prevent dhcp.log from being
written (the line would have DHCP::LOG in it). But that is very unlikely.

If that yields nothing - could you perhaps capture a tiny snippet of the
dhcp traffic with tcpdump, just run bro on the command line and see if
that generates dhcp.log? If no - could you potentially (privately) send me
a small amount of that traffic?

Johanna

On Fri, Feb 26, 2016 at 09:32:46PM +0400, Zafar Pravaiz wrote:
> 
> > On Feb 26, 2016, at 9:18 PM, Johanna Amann <johanna at icir.org> wrote:
> > 
> > Hello,
> > 
> > On Fri, Feb 26, 2016 at 10:00:25AM +0400, Zafar Pravaiz wrote:
> >> I am running SO 14.04. This is just capturing DNS and DHCP traffic on a
> >> span port. Recently i ran soup and reboot the box. After that i have
> >> noticed no DHCP log is showing up in bro log. i can see known_services
> >> shows DHCP as service but there no dhcp.log file being generate.  Any
> >> clue what went wrong? 
> > 
> > On a first glance I do not really have any idea what went wrong, but there
> > are a few things to check -
> > 
> > * just to verify, dns.log is still being written correctly?
> > 
> 
> Yes dns.log being update as expected. 
> 
> > * could you check that you see dhcp connections in conn.log? They should
> >  be tagged with dhcp in the service field.
> > 
> 
> yes i can see conn.log getting entries for DHCP 
> 
> > and
> > 
> > * could you verify that loaded_scripts.log contains
> >  scripts/base/protocols/dhcp?
> > 
> 
> These are the scripts are being loaded
> 
>    /opt/bro/share/bro/base/bif/plugins/Bro_DHCP.events.bif.bro
>   /opt/bro/share/bro/base/protocols/dhcp/__load__.bro
>     /opt/bro/share/bro/base/protocols/dhcp/consts.bro
>     /opt/bro/share/bro/base/protocols/dhcp/main.bro
>       /opt/bro/share/bro/base/protocols/dhcp/utils.bro
> 
> > Johanna
> 
>