[Bro-Dev] #700: PacketSorter

Bro Tracker bro at tracker.bro-ids.org
Tue Nov 29 09:36:50 PST 2011

#700: PacketSorter
 Reporter:  gregor       |      Owner:
     Type:  Problem      |     Status:  new
 Priority:  Normal       |  Milestone:  Bro2.1
Component:  Bro          |    Version:
 Keywords:  BroV6, IPv6  |
 (from an e-mail I sent a while ago)
 Might relevant for IPv6 so setting milestone to 2.1


 I was wondering about Bro's packet sorter. From a quick glance it
 appears that it's only enabled if packet_sort_window is set to a non
 zero value. When enabled it will sort packets
    a) based on timestamps and
    b) for TCP packets based on SEQ/ACK numbers (I presume to ensure that
       ACKs are delivered after the data packet)

 Note, this is independent from Bro's ability to process multiple trace
 files (or multiple interfaces) in order. So I was wondering about the
 use cases for PacketSorter, especially (a)

 If the packet sorter is enabled Bro's behavior will slightly change: It
 won't pass ARP packets to the ARP analyzer, and it won't create a weird
 if it's not an IP packet.

 I was just wondering whether anybody has recently used the packet
 sorter. If not I'm wondering whether we should test this code path to
 see whether it works correctly esp wrt IPv6.

 Or, actually, whether the packet sorter is worth keeping or whether we
 should remove the code.

 And another question would be if the TCP sorting would better be handled
 by the TCP analyzer?


Ticket URL: <http://tracker.bro-ids.org/bro/ticket/700>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list