[Bro-Dev] Per connection byte and packet counting
Vern Paxson
vern at icir.org
Wed Dec 8 20:21:16 PST 2010
> However, it will only be updated if the event
> engine calls BuildConnVal(), which is in general only done if a event
> for this connection is generated.
Yep. Though with the optional approach, the event engine could know to
build the connection value for every packet if there's a pending "when"
that cares (at least, I think it can tell when this is the case - Robin
is the definitive viewpoint here).
> Note, that somebody could also generate a connection event and just pass
I don't see any need to worry about that. No one is supposed to be
generating connection events. Connection records are linked with the event
engine and thus shouldn't be created separately.
> I think the problem is that the connection record (and thus the conn_id)
> is only valid in the scope of the function.
This is also a question for Robin, as it involves the particulars of just
how "when" is implemented uner the hood.
Vern
More information about the bro-dev
mailing list