[Bro-Dev] Per connection byte and packet counting

Vern Paxson vern at icir.org
Wed Dec 8 20:21:16 PST 2010


> However, it will only be updated if the event
> engine calls BuildConnVal(), which is in general only done if a event
> for this connection is generated.

Yep.  Though with the optional approach, the event engine could know to
build the connection value for every packet if there's a pending "when"
that cares (at least, I think it can tell when this is the case - Robin
is the definitive viewpoint here).

> Note, that somebody could also generate a connection event and just pass

I don't see any need to worry about that.  No one is supposed to be
generating connection events.  Connection records are linked with the event
engine and thus shouldn't be created separately.

> I think the problem is that the connection record (and thus the conn_id)
> is only valid in the scope of the function.

This is also a question for Robin, as it involves the particulars of just
how "when" is implemented uner the hood.

		Vern


More information about the bro-dev mailing list