[Bro] Differences in processing multiple traces with BRO and ipsumdump

Vern Paxson vern at icir.org
Sat Jun 26 09:00:32 PDT 2010

> I still puzzled over ipsumdump because the difference in connection number
> is big and the tool does not give you any hint about the existence of a
> problem, thus it is easy to get a wrong analysis with bro.

Hmmmm - we make heavy use of ipsumdump for trace analysis, and haven't run
across this sort of problem before.  If you can put together a demonstration
of the problem, send it to Eddie Kohler <kohler at cs.ucla.edu> (the ipsumdump
developer), he's quite responsive in fixing bugs.  Also, cc me on the note,
as I'd like to understand the issue better.


More information about the Bro mailing list