[Bro] Differences in processing multiple traces with BRO and ipsumdump
vern at icir.org
Sat Jun 26 09:00:32 PDT 2010
> I still puzzled over ipsumdump because the difference in connection number
> is big and the tool does not give you any hint about the existence of a
> problem, thus it is easy to get a wrong analysis with bro.
Hmmmm - we make heavy use of ipsumdump for trace analysis, and haven't run
across this sort of problem before. If you can put together a demonstration
of the problem, send it to Eddie Kohler <kohler at cs.ucla.edu> (the ipsumdump
developer), he's quite responsive in fixing bugs. Also, cc me on the note,
as I'd like to understand the issue better.
More information about the Bro