1285862632.803262/1434571577.132267 [dpd] TCPRS[101422] DeliverPacket(0, T, 9005, 0x7fff0d41bf80, 0) [] 1285862632.803262/1434571577.132274 [dpd] TCP_ApplicationAnalyzer ignoring DeliverPacket(0, T, 9005, 0x7fff0d41bf80, 0) []
Are these two lines related? I'm stuck. I've run bro with GDB attached using a simple trace file and TCPRS_Analyzer::DeliverPacket never seems to be entered. On Wed, Jun 17, 2015 at 1:26 PM, James Swaro <[email protected]> wrote: > In Analyzer.cc, there is a quick check for 'if (skip)' . How does this > variable get set? > > On Wed, Jun 17, 2015 at 10:30 AM, James Swaro <[email protected]> > wrote: > >> If I understand the patch correctly, it would only cause problems for >> connections with over 2GB of data payload, but I think it should work fine >> for a small trace of say 200KB. I'm not seeing any events at all, nor am I >> seeing the log files that should be created when using the analyzer. >> >> I'll correct the functions and test it out though. >> >> On Wed, Jun 17, 2015 at 10:10 AM, Vlad Grigorescu <[email protected]> >> wrote: >> >>> On Wed, Jun 17, 2015 at 9:45 AM, James Swaro <[email protected]> >>> wrote: >>> >>>> > Just a guess, but it could be related to this: >>>> https://github.com/bro/bro/blob/master/CHANGES#L1578 >>>> I'm looking, but nothing seems to pop out at me. >>>> >>>> > The other big change was moving to plugins, but if you're seeing it >>>> added as a child analyzer, that doesn't sound like it'd be the issue. >>>> It seems to be ok. Did data delivery change from DeliverPacket to >>>> something else? >>>> >>>> > Was this analyzer written in BinPAC, or in C++? >>>> It was written in C++. >>>> >>> >>> Well, what I meant with that change was that the functions used for data >>> delivery changed. Specifically: >>> >>> Analyzer::{NextPacket, NextUndelivered, ForwardPacket, >>> ForwardUndelivered, DeliverPacket, Undelivered} were modified to change the >>> int seq parameter to a uint64. If your functions aren't updated, and are >>> expecting a plain old int for the sequence number, I've seen the scenario >>> you describe: the analyzer attaches, but doesn't function. >>> >>> --Vlad >>> >>> >> >> >> -- >> James Swaro >> >> >> > > > -- > James Swaro > > > -- James Swaro
_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
