The transcript below should look very familiar to those familiar with
gdb. The debugger's command prompt accepts debugger commands;
before each prompt, the line of policy code that is next to be
executed is displayed.
First we activate the debugger with the -d command-line switch.
bobcat:~/bro/bro$ ./bro -d -r slice.trace brolite
Policy file debugging ON.
In bro_init() at policy/ftp.bro:437
437 have_FTP = T;
Next, we set a breakpoint in the connection_finished
event handler [reference this somehow]. A breakpoint causes the
script's execution to stop when it reaches the specified function. In
this case, there are many event handlers for the
connection_finished event, so we are given a choice.
(Bro [0]) break connection_finished
Setting breakpoint on connection_finished:
There are multiple definitions of that event handler.
Please choose one of the following options:
[1] policy/conn.bro:268
[2] policy/active.bro:14
[3] policy/ftp.bro:413
[4] policy/demux.bro:40
[5] policy/login.bro:496
[a] All of the above
[n] None of the above
Enter your choice: 1
Breakpoint 1 set at connection_finished at policy/conn.bro:268
Now we resume execution; when the breakpoint is reached, execution stops and the debugger prompt returns.
(Bro [1]) continue
Continuing.
Breakpoint 1, connection_finished(c = '[id=[orig_h=1.0.0.163,
orig_p=2048/tcp, resp_h=1.0.0.6, resp_p=23/tcp], orig=[size=0,
state=5], resp=[size=46, state=5], start_time=929729696.316166,
duration=0.0773319005966187, service=, addl=, hot=0]') at
policy/conn.bro:268
In connection_finished(c = '[id=[orig_h=1.0.0.163, orig_p=2048/tcp,
resp_h=1.0.0.6, resp_p=23/tcp], orig=[size=0, state=5], resp=[size=46,
state=5], start_time=929729696.316166, duration=0.0773319005966187,
service=, addl=, hot=0]') at policy/conn.bro:268
268 if ( c$orig$size == 0 || c$resp$size == 0 )
We now step through a few lines of code and into the
record_connection call.
(Bro [2]) step
274 record_connection(c, "finished");
(Bro [3]) step
In record_connection(c = '[id=[orig_h=1.0.0.163, orig_p=2048/tcp,
resp_h=1.0.0.6, resp_p=23/tcp], orig=[size=0, state=5], resp=[size=46,
state=5], start_time=929729696.316166, duration=0.0773319005966187,
service=, addl=, hot=0]', disposition = 'finished') at
policy/conn.bro:162
162 local id = c$id;
(Bro [4]) step
163 local local_init = to_net(id$orig_h) in local_nets;
We now print the value of the id variable, which was set in
the previously executed statement local id = c$id;. We follow
that with a backtrace (bt) call, which prints a trace of the
currently-executing functions and event handlers (along with their
actual arguments). We then remove the breakpoint and continue
execution to its end (the remaining output has been trimmed off).
(Bro [5]) print id
[orig_h=1.0.0.163, orig_p=2048/tcp, resp_h=1.0.0.6, resp_p=23/tcp]
(Bro [6]) bt
#0 In record_connection(c = '[id=[orig_h=1.0.0.163, orig_p=2048/tcp,
resp_h=1.0.0.6, resp_p=23/tcp], orig=[size=0, state=5],
resp=[size=46, state=5], start_time=929729696.316166,
duration=0.0773319005966187, service=, addl=, hot=0]', disposition =
'finished') at policy/conn.bro:163
#1 In connection_finished(c = '[id=[orig_h=1.0.0.163, orig_p=2048/tcp,
resp_h=1.0.0.6, resp_p=23/tcp], orig=[size=0, state=5],
resp=[size=46, state=5], start_time=929729696.316166,
duration=0.0773319005966187, service=, addl=, hot=0]') at
policy/conn.bro:274
(Bro [7]) delete
Breakpoint 1 deleted
(Bro [8]) continue
Continuing.
...