[Bro-Dev] active_conns

Gregor Maier gregor at icir.org
Thu Mar 17 16:41:49 PDT 2011

> I'm asking because one thing that always struck me as suboptimal is
> how currently many scripts are maintaining their own session table.
> E.g., the HTTP analyzer has http_sessions[conn_id] where it's stores
> its stuff.

I agree.

> With the new record extension mechanisms we could instead do the other
> extreme: no script gets its own table anymore, the additional things
> just get added to a central record, like this Conn::Log. I'm not sure
> whether I really want to advocate that change but I was wondering what
> your (or anybodys) thoughts are.

I like the idea, however, I guess one question would be what the memory
overhead would be. Assuming that you have many analyzers or scripts that
want to add stuff to *some* connections. If the connection record is
extended every connection needs to have the additional field. Probably
as an optional, so it's only a NULL pointer, but still.

Gregor Maier
<gregor at icir.org>  <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA

More information about the bro-dev mailing list