Error during runtime on Windows
timwoj opened this issue · 1 comments
I haven't been able to attribute this to anything specific yet, but it happens with both pcaps and network traffic. If you leave Zeek running long enough, it will eventually print out this error:
[broker/ERROR] 2022-11-14T15:23:52.262 exception: POLLRDHUP: cannot read from closed pipe
[broker/ERROR] 2022-11-14T15:24:04.915 wrong number of bytes written to the pipe
*** unhandled exception: [id: 4, name: broker.core, exception typeid: class%20std.runtime_error]: wrong number of bytes written to the pipe
[broker/ERROR] 2022-11-14T15:24:04.920 wrong number of bytes written to the pipe
That error comes from the internal/connector.cc file.
Finally managed to build Zeek on Windows and get it running. I could reproduce this with Broker logging enabled and the POLLRDHUP always happens after 120 seconds, which got me wondering. I've written a small test program that just mimics the pipe communication and... same thing. Looks like our pipe* times out after 2 minutes on Windows. Setting keepalive on the socket didn't help, so I need to dig a bit more.
* Windows has no pipe() function. So we actually connect the process to itself over TCP localhost, which is the common "workaround".