[Bro] Bro Logging Error: count value too high for JSON

[Ian Gabriel]

I am having some trouble with a bro script we have. It is listening on the
tcp_packet event and logging using the ASCII writer in JSON. As the subject
indicates, I am getting the error as follows:

error: conn/Log::WRITER_ASCII: count value too large for JSON:
184467440718605600000

>From the bro manual I understand that the `count` data type is an unsigned
64 bit int, while `int` is a signed 64bit int. From bro's git and my error
message, I understand that we cannot print values to JSON larger than the
signed int max. With my bro script, I printed out the `count` data types
passed to me in the `tcp_packet` hook (being SEQ LEN ACK), and noticed that
my SEQ numbers were the values that bro was having trouble serializing
properly as they were bigger than the signed int maximum. This raised the
eyebrows of a team member smarter than myself, as he reminded me that SEQ
numbers are 32 bits in length in TCP packets.

After changing the datatypes of the structs I am logging to `int` and
"downcasting" the `count` values, I no longer run into this problem... but
then I also get negative sequence numbers in my result : )

I wonder:

A) Am I doing something wrong?

B) There seems to be a related issue on the issue tracker:
https://bro-tracker.atlassian.net/browse/BIT-1863 , but I am thinking there
might be some intricacies with how bro generates sequence numbers for a
given packet/pcap?

Bro is passing these values directly to the tcp_event hook, and I am doing
no manipulation before printing out these too large sequence numbers, which
is why I am not attaching my broscript.

Thanks in advance for your time,

Ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180124/3df53fc1/attachment.html