[
https://bro-tracker.atlassian.net/browse/BIT-1475?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=22109#comment-22109
]
Johanna Amann commented on BIT-1475:
------------------------------------
Could you test if running bro with
{code}
bro t1.bro -r my.pcap --pseudo-realtime
{code}
or similar fixes your problem? That will start Bro in pseudo realtime mode and
read in the trace as fast as it happened on the wire, inserting sleeps where
necessary.
The problem seems to be that once processing of the tracefile stopped, no
heartbeats are sent to the input threads anymore -- those are necessary to get
the output of the command after it has been run. I am not quite sure why that
happens - but I think I remember that these are triggered by input traffic
(i.e. when there is no further traffic, there are no further heartbeats).
The reason that heartbeats happen when no trace is processed is the
communication framework - and I think that is special-cased then.
In any case - we should probably fix this.
> Exec::Run does not complete
> ---------------------------
>
> Key: BIT-1475
> URL: https://bro-tracker.atlassian.net/browse/BIT-1475
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master, 2.3
> Environment: Centos 6.6
> Reporter: Aaron
> Labels: hang
> Fix For: 2.5
>
> Attachments: bro.tar.gz
>
>
> I'm having trouble running an external program in the callback function for
> an event when processing a pcap file. It seems to work in bro_init, however,
> which confuses me.
> The working file will print out the output of the "ls" command, whereas the
> not-working file will not print out anything no matter how long I wait.
> Specifically here I want to use the event when bro detects a file in the pcap.
> working.bro (ran as simply "bro working.bro"):
> {code:java}
> @load base/utils/exec
> redef exit_only_after_terminate=T;
> event bro_init()
> {
> local t= "ls /";
> local cmd = Exec::Command($cmd=t);
> when (local res = Exec::run(cmd))
> {
> print "hello";
> print res$stdout;
> }
> }
> {code}
> notworking.bro (ran as bro -r my.pcap notworking.bro:
> {code:java}
> @load base/utils/exec
> @load base/frameworks/files
> @load base/frameworks/notice
> redef exit_only_after_terminate=T;
> event file_new(f: fa_file)
> {
> local t ="ls /";
> local cmd = Exec::Command($cmd=t);
> when (local res = Exec::run(cmd))
> {
> print "hello";
> print res$stdout;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-05-005#70102)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
