Mark Krenz
2018-11-12 19:47:53 UTC
I've inherited a Bro 2.5.5 setup from someone else and am coming to it
after it's been running for a while without producing any conn or other
protocol logs. I've tried restarting Bro and redeploying, but the only
logs that get started are
communication.log
loaded_scripts.log
packet_filter.log
reporter.log
stats.log
stderr.log
stdout.log
weird.log
None of these logs are filling up with anything useful or indicating
what the problem may be. The only useful message is
"non_ip_packet_in_ethernet" in the weird.log. That seems to point to a
network issue rather than a Bro issue, but I'd like to rule out a Bro
issue first if possible. At one point this setup did produce useful logs
but apparently it just stopped at some point and I'm not sure why. The
only thing somewhat unique about this setup is that at one point it
required me to use the setting 'redef encap_hdr_size=10;' to handle an
incompatibility between Bro and a vlan technology this network uses.
I've also verified that the taps that Bro is listening on are seeing
actual traffic by using tshark, which is able to decode the protocols.
Any suggestions as to where to start and how to diagnose this?
Thanks,
Mark
after it's been running for a while without producing any conn or other
protocol logs. I've tried restarting Bro and redeploying, but the only
logs that get started are
communication.log
loaded_scripts.log
packet_filter.log
reporter.log
stats.log
stderr.log
stdout.log
weird.log
None of these logs are filling up with anything useful or indicating
what the problem may be. The only useful message is
"non_ip_packet_in_ethernet" in the weird.log. That seems to point to a
network issue rather than a Bro issue, but I'd like to rule out a Bro
issue first if possible. At one point this setup did produce useful logs
but apparently it just stopped at some point and I'm not sure why. The
only thing somewhat unique about this setup is that at one point it
required me to use the setting 'redef encap_hdr_size=10;' to handle an
incompatibility between Bro and a vlan technology this network uses.
I've also verified that the taps that Bro is listening on are seeing
actual traffic by using tshark, which is able to decode the protocols.
Any suggestions as to where to start and how to diagnose this?
Thanks,
Mark