Hi all,
Recently I have some problems with Bro and PF_RING in cluster.
On my server, when I have less than 32 worker threads(rings),
everything is okay, but when I use worker threads more than 32, pf_ring
start to receive repeating data packets. For example, rings less than 32, I
send 400000 packets to server and pf_ring info in /proc shows there is
400000 packets in rings, but when rings greater than 32, I can get 800000
packets when 33 rings and 1200000 packets when 34 rings and so on.
I guess if there is some rules that a pf_ring or a bro cluster can only
support less than 32 rings or worker threads on a server or some other
reasons?
Any insight would be helpful.
Does it have this function?I just want to only analyze http packages.And
Does it can reduce capture loss rate via analyzing less packages? Thanks a
lot.
Hi everybody,
I have noticed that in many app level analyzers there is a sort of "safety check" in the method DeliverStream which essentially returns when the tcp session is partial, i.e.
if ( TCP() && TCP()->IsPartial() )
return;
This is true for example for the HTTP, SSH, SSL analyzers and more. My understanding is that this is to prevent app layer analyzers or scripts relying on them from breaking down or missing some information when processing packets with possible missing bytes.
Am I right? How much reliable is this check TCP()->IsPartial() for partial tcp sessions in the tcp analyzer?
Thanks,
Mauro
Hi
In the tcp_packet event, how can I obtain the *absolute values* (found in
the tcp header), not the relative values of ack and seq numbers.
Best regards,
Hui Lin
--
Hui Lin
Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
DEPEND (http://depend.csl.illinois.edu/)
ECE, Uni. of Illinois at Urbana-Champaign
Hi, I've been trying to install this plugin and it seems to have
some issues or confusion between bro and zeek for that plugin.
Anyone encountered this issue?
Thanks!
~]# zkg install apache/metron-bro-plugin-kafka
The following packages will be INSTALLED:
zeek/apache/metron-bro-plugin-kafka (0.3)
Verify the following REQUIRED external dependencies:
(Ensure their installation on all relevant systems before proceeding):
from zeek/apache/metron-bro-plugin-kafka (0.3):
librdkafka ~0.11.5
Proceed? [Y/n]
zeek/apache/metron-bro-plugin-kafka asks for LIBRDKAFKA_ROOT (Path to
librdkafka installation tree) ? [/usr/local/lib]
Saved answers to config file: /root/.zkg/config
Running unit tests for "zeek/apache/metron-bro-plugin-kafka"
error: failed to run tests for zeek/apache/metron-bro-plugin-kafka: package
build_command failed, see log in
/root/.zkg/logs/metron-bro-plugin-kafka-build.log
Proceed to install anyway? [N/y]
~]# cat /root/.zkg/logs/metron-bro-plugin-kafka-build.log
=== STDERR ===
=== STDOUT ===
Cannot determine Bro source directory, use --bro-dist=DIR.
Hello team,
How to measure the packet loss on open source zeek
I see capstats which has nic drops .is this using if config rx_dropped
counter or different
Thanks
Venkatesh
Hello team,
How to measure the packet loss on open source zeek
I see capstats which has nic drops .is this using if config rx_dropped
counter or different
Thanks
Venkatesh
Hello,
I have a Zeek script that I would like to add optional Broker functionality
to. I don't want it to be a requirement, so I'm adding run-time redef
options that can be toggled to enable/disable it.
Something like:
-------
export {
const broker_enable = F &redef;
}
@if (MODULE::broker_enable)
event bro_init()
{
Broker::listen("127.0.0.1", 9999/tcp);
}
@endif
-------
When I attempt to add this line to my local.bro/zeek file after the @load
package:
---
redef MODULE::broker_enable = T;
---
It won't override broker_enable and thus doesn't listen on the socket. I
assume that it's because the @load happens before the redef in local.bro,
and thus doesn't override when it checks for the @if ?
Is there a better way that I can do this? Like checking if Broker is
actually available? I tried this, but it doesn't work either:
---
@ifdef (Broker)
print "Broker Enabled";
@endif
---
Thanks in advance,
Andrew
