[Bro] Connection dictionaries

Yuppie yuppie4ever at gmail.com
Tue Apr 24 07:19:18 PDT 2007


I see that there are different connection dictionaries for tcp, udp
and icmp connections. These are indexed by originator/responder
ip/port 4-tuple. Is there a specific reason (apart from performance
maybe?) for going with this approach rather than creating a single
dictionary indexed by a 5-tuple, 5th-tuple being the protocol?

thanks
-y



More information about the Bro mailing list