[Bro-Dev] PacketSorter

Gregor Maier gregor at icir.org
Thu Jul 28 14:36:03 PDT 2011


I was wondering about Bro's packet sorter. From a quick glance it 
appears that it's only enabled if packet_sort_window is set to a non 
zero value. When enabled it will sort packets
   a) based on timestamps and
   b) for TCP packets based on SEQ/ACK numbers (I presume to ensure that
      ACKs are delivered after the data packet)

Note, this is independent from Bro's ability to process multiple trace 
files (or multiple interfaces) in order. So I was wondering about the 
use cases for PacketSorter, especially (a)

If the packet sorter is enabled Bro's behavior will slightly change: It 
won't pass ARP packets to the ARP analyzer, and it won't create a weird 
if it's not an IP packet.

I was just wondering whether anybody has recently used the packet 
sorter. If not I'm wondering whether we should test this code path to 
see whether it works correctly esp wrt IPv6.

Or, actually, whether the packet sorter is worth keeping or whether we 
should remove the code.

And another question would be if the TCP sorting would better be handled 
by the TCP analyzer?


Gregor Maier
<gregor at icir.org>  <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA

More information about the bro-dev mailing list