[Bro] RemoteSerializer.cc

Sandro Reichert sanreich at gmx.de
Sun Oct 15 10:53:00 PDT 2006


I'm still analyzing the inter-bro(1.1) communication :-)

line 634/635 and 637/638 are identical:
  	p->our_class = our_class ;

SocketComm::Run (): lines 2333 to 2361
[1] if ( io->IsFillingUp() && ! shutting_conns_down ) {}
and [2] if ( ! io->IsFillingUp() && shutting_conns_down ) {}

- bro node A is connected to nodes B and C.
- B sent 4GB, C only 20MB
- now C generates much traffic and A's queue to parent is filling up
   -> [1] becomes true, but instead of C, B is detected as the 
connection with the heaviest traffic and therefor disconnected;
shutting_conns_down = true.
- C still floods A, [1] and [2] are false and C can't be stopped. (?)

My solution:
[a] 'bytes_read' should be a dynamic value. I think this consumes more 
resources than [b], but will detect the heaviest connection

[b] a timeout to set 'shutting_conns_down = false' if 
'io->IsFillingUp()' is still true. Problem: in worst case, it will 
disconnect all notes and the heaviest connection is the last one.

Bye Sandro

More information about the Bro mailing list