NO DHCP.log

Zeek
1

Hi ,

I am running SO 14.04. This is just capturing DNS and DHCP traffic on a span port. Recently i ran soup and reboot the box. After that i have noticed no DHCP log is showing up in bro log. i can see known_services shows DHCP as service but there no dhcp.log file being generate. Any clue what went wrong?

I would appreciate any help

Thanks
Zafar

2

Hello,

I am running SO 14.04. This is just capturing DNS and DHCP traffic on a
span port. Recently i ran soup and reboot the box. After that i have
noticed no DHCP log is showing up in bro log. i can see known_services
shows DHCP as service but there no dhcp.log file being generate. Any
clue what went wrong?

On a first glance I do not really have any idea what went wrong, but there
are a few things to check -

* just to verify, dns.log is still being written correctly?

* could you check that you see dhcp connections in conn.log? They should
  be tagged with dhcp in the service field.

and

* could you verify that loaded_scripts.log contains
  scripts/base/protocols/dhcp?

Johanna

3

Hello,

I am running SO 14.04. This is just capturing DNS and DHCP traffic on a
span port. Recently i ran soup and reboot the box. After that i have
noticed no DHCP log is showing up in bro log. i can see known_services
shows DHCP as service but there no dhcp.log file being generate. Any
clue what went wrong?

On a first glance I do not really have any idea what went wrong, but there
are a few things to check -

* just to verify, dns.log is still being written correctly?

Yes dns.log being update as expected.

* could you check that you see dhcp connections in conn.log? They should
be tagged with dhcp in the service field.

yes i can see conn.log getting entries for DHCP

and

* could you verify that loaded_scripts.log contains
scripts/base/protocols/dhcp?

These are the scripts are being loaded

   /opt/bro/share/bro/base/bif/plugins/Bro_DHCP.events.bif.bro
  /opt/bro/share/bro/base/protocols/dhcp/__load__.bro
    /opt/bro/share/bro/base/protocols/dhcp/consts.bro
    /opt/bro/share/bro/base/protocols/dhcp/main.bro
      /opt/bro/share/bro/base/protocols/dhcp/utils.bro

4

Ok, with all that - I am basically out of ideas. Can you check that
local.bro does not contain anything that might prevent dhcp.log from being
written (the line would have DHCP::LOG in it). But that is very unlikely.

If that yields nothing - could you perhaps capture a tiny snippet of the
dhcp traffic with tcpdump, just run bro on the command line and see if
that generates dhcp.log? If no - could you potentially (privately) send me
a small amount of that traffic?

Johanna