The Bro debugger is invoked with the -d command-line
switch. It is strongly recommended that the debugger be used with a
tcpdump capture file as input (the -r switch) rather than in
“live” mode, so that results are repeatable.
Execution tracing is a feature which generates a complete record of
which code statements are executed during a given run. It is enabled
with the -t switch, whose argument specifies a file which
will contain the trace.
Debugger commands all are a single word, though many of them take
additional arguments. Commands may be abbreviated with a prefix
(e.g., fin for finish); if the same prefix matches
multiple commands, the debugger will list all that match. Certain
very frequently-used commands, such as next, have been
given specific one-character shortcuts (in this case,
n). For more details on all the debugger commands, see the
Reference in section Reference, below.
The debugger's prompt can be activated in three ways. First, when
the -d switch is supplied, Bro stops in the
bro_init initialization function (more precisely, after
global-scope code has been executed; see section Notes and Limitations). It is
also activated when a breakpoint is hit. Breakpoints are set with
the break command (see the Reference). The final way to
invoke the debugger's prompt is to interrupt execution by pressing
Ctrl-C (sending an Interrupt signal to the process). Execution will
be suspended after the currently-executing line is completed.