[Bro] broctl print capture_filters failing

Aashish Sharma asharma at lbl.gov
Wed Apr 11 13:36:32 PDT 2018 

David, 

I have started using a different technique for debug/dumping now:

I tap into "event reporter_info" 

rough example : 

$cat a.bro  

redef capture_filters += { ["my-net"] = "(vlan and not net 1.2.0.0/16) or not net 1.2.0.0/16", } ; 

event bro_init()
{
    local _msg = "" ; 

        for (a in capture_filters)
        { 
               _msg = fmt ("capture-filters: %s-> %s", a, capture_filters[a]);
                event reporter_info(network_time(), _msg, peer_description);   
        } 
}


then run as: bro -i eth0 ./a.bro 


$cat reporter.log  | fgrep capture-filters 


you should see the output. 

event reporter_info is a good event to tap for dumping info in a cluster setup.
Basically I've used it as a cluster version of "print fmt (" used in standalone. 

Hope this helps, 
Aashish 


On Wed, Apr 11, 2018 at 07:58:43PM +0000, Perry, David wrote:
> I have a two-worker cluster running on an Ubuntu VM.  Bro was installed from the packages provided by OpenSUSE.
> Ubuntu 16.04.4 LTS
> Bro 2.5.3
> BroControl Version 1.7.
> 
> Aside from commenting out most "@load protocols/xxx" lines, I have made minimal changes to the configuration.
> 
> I am debugging capture filters but unfortunately broctl print capture_filters throws an error.  'broctl status' works fine.
> 
> broctl status
> Name         Type    Host             Status    Pid    Started
> manager      manager localhost        running   11704  10 Apr 15:09:24
> proxy-1      proxy   localhost        running   11880  10 Apr 15:09:25
> worker-1     worker  localhost        running   11937  10 Apr 15:09:27
> worker-2     worker  localhost        running   11938  10 Apr 15:09:27
> 
> broctl print capture_filters
>      manager   <error: cannot connect to 127.0.0.1:47761>
>      proxy-1   <error: cannot connect to 127.0.0.1:47762>
>     worker-1   <error: cannot connect to 127.0.0.1:47763>
>     worker-2   <error: cannot connect to 127.0.0.1:47764>
> 
> I added 'Debug=1' to broctl.cfg, re-ran the commands and looked in /opt/bro/spool/debug.log but found no additional information.
> 
> Perhaps I am still missing some software?  Incompatible version of python-broccoli (came from Ubuntu)?
> 
> David

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list