[Bro] ConnCompressor, TCP options
james.swaro at gmail.com
Thu Jan 6 17:58:28 PST 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 01/06/2011 07:20 PM, Robin Sommer wrote:
> On Thu, Jan 06, 2011 at 15:50 -0500, you wrote:
>> Why is initial packet faked and not passed as originally observed?
> Because it is not completely stored at that point. For a
> connection's initial packet, the compressor remembers only what's
> necessary for later analyzing it in full if more packets are coming
> in. That saves a lot of memory (and CPU actually) for things like
> scans and floods because for all those connections, Bro needs hardly
> any resources.
>> Can you disable the use of the compressor? If so, how ?
> See other mail. For an offline trace analysis, you probably want to
> do that.
Thank you for both answers. The first was a curiosity question and the
second, a necessity. Thank you, and rmkml for the prompt answers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Bro