[Bro-Dev] Per connection byte and packet counting
Seth Hall
seth at icir.org
Wed Dec 8 13:49:23 PST 2010
On Dec 8, 2010, at 4:44 PM, Gregor Maier wrote:
> If I do this, then I basically have variant (a). (with the addition that
> it's slower than (a)).
Heh, the worst of both worlds. :)
> The advantage of (b) is that it has no memory overhead if the counters
> are not used, but if I add them to the connection record, this advantage
> is gone.
Bro allocates memory for unused optional elements?
Oh, I guess I hadn't thought about this enough anyway. My thought was that you'd be able to give some signal back to the core with a BiF call or something which would then enable the counting for the connection but that doesn't work because by the time you get your first event (like connection_established) you've already missed several packets. Hm.
> The only way for (b) would be to have a global table, indexed by connid,
> that yields the counters. But I think this could be painful, because I
> would have to update this table from the event engine for each received
> packet.
That seems sort of hacky too.
.Seth
More information about the bro-dev
mailing list