Hello. I’m running known-services.bro on a pcap file. I’m having two problems: no known-services.log file is being generated, and some packets trigger “internal warning: Unexpected IP version in FragReassembler”.
If I run dpd, the logs generated seem normal.
What can I do to debug these issues?
By default the known-hosts script only records hosts in your Site::local_nets. You can set that with networks.cfg if you are running broctl or you can set it directly in Bro scripts like this...
redef Site::local_nets += { 1.2.3.0/24, 5.6.7.0/24 };
.Seth
You could also get the file generated by adding the local and the Site::local_nets that Seth mentioned; like this:
bro -r file.pcap local “Site::local_nets +={172.16.0.0/16}” knwon-services.bro
Where 172.16.0.0 is your local network.