gregor at icir.org
Thu Mar 17 16:41:49 PDT 2011
> I'm asking because one thing that always struck me as suboptimal is
> how currently many scripts are maintaining their own session table.
> E.g., the HTTP analyzer has http_sessions[conn_id] where it's stores
> its stuff.
> With the new record extension mechanisms we could instead do the other
> extreme: no script gets its own table anymore, the additional things
> just get added to a central record, like this Conn::Log. I'm not sure
> whether I really want to advocate that change but I was wondering what
> your (or anybodys) thoughts are.
I like the idea, however, I guess one question would be what the memory
overhead would be. Assuming that you have many analyzers or scripts that
want to add stuff to *some* connections. If the connection record is
extended every connection needs to have the additional field. Probably
as an optional, so it's only a NULL pointer, but still.
<gregor at icir.org> <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA
More information about the bro-dev