[Bro] sum stats q.

Dk Jack dnj0496 at gmail.com
Fri Nov 30 12:03:59 PST 2018 

Thanks for investigating this Justin. I was scratching my head for two days :)

Btw, I am using 2.4.1. Since my requirements were very simple, I ended up creating my own table and writing the accumulated counts to the log periodically using the ‘schedule’ primitive. That’s working correctly. Hopefully, I can get rid of that and move to the sumstats version when I upgrade my bro to 2.6. 

Thanks again. 

Dk. 

On Nov 30, 2018, at 11:14 AM, Azoff, Justin S <jazoff at illinois.edu> wrote:

>> 
>> Hi Justin,
>> Thanks for responding. My problem is not with try.bro.org but with how sumstats seem to work. I was just using try.bro.org to demonstrate the issue in case someone wanted to try my test.
>> 
> 
> Hi,
> 
> While trying to reproduce your problem I found that this was fixed a few months ago:
> 
> https://github.com/bro/bro/commit/3495b2fa9d84e8105a79e24e4e9a2f9181318f1a#diff-3248d64d10c61bb0656f5c167feca5f0
> 
> I ended up tracking down the root cause only to realize this is already fixed
> in 2.6 :-)  Never hurts to practice bro script debugging though.  Turns out the old script was deleting entries from a table while iterating over it, which is undefined behavior in bro (and in many other languages).
> 
> I have a directory with http.pcap and your script (s.bro)
> 
> I run a bro 2.5.5 container and count the results, getting 128 instead of 197.
> 
>    justin at mbp:~/b$ docker run -t -i --rm -v `pwd`:/b broplatform/bro:2.5.5
>    root at cbd05c9035c3:/# cd /b
>    root at cbd05c9035c3:/b# bro -r http.pcap s.bro 
>    Creating HttpStats log stream and HTTP sumstats
>    1320279683.449294 ./s.bro, line 55: scount=197
>    root at cbd05c9035c3:/b# 
>    root at cbd05c9035c3:/b# cat http-stats.log |bro-cut hits | awk '{s+=$1} END {printf "%.0f\n", s}'
>    128
> 
> Now I do the same test again but using bro 2.6 released yesterday and get the correct result of 197:
> 
>    justin at mbp:~/b$ docker run -t -i --rm -v `pwd`:/b broplatform/bro:2.6
>    root at 869655245d1d:/# cd /b
>    root at 869655245d1d:/b# bro -r http.pcap s.bro 
>    Creating HttpStats log stream and HTTP sumstats
>    1320279683.449294 ./s.bro, line 55: scount=197
>    root at 869655245d1d:/b# 
>    root at 869655245d1d:/b# cat http-stats.log |bro-cut hits | awk '{s+=$1} END {printf "%.0f\n", s}'
>    197
> 
> 
> -- 
> Justin

More information about the Bro mailing list