[Bro-Dev] change to PacketFilter framework for 2.1

Seth Hall seth at icir.org
Mon Feb 6 19:33:44 PST 2012

Just so everyone know, I'm going to be making some modifications to the packet filtering framework's API for 2.1.  That PacketFilter::all_packets variable in 2.0 has been driving me crazy because it's a fairly hidden variable that you have to set in order to make other configuration settings work.

I'm going to go the direction that restriction filters will be the primary method of filtering going forward.  The idea being that we want to watch everything, but we inform the packet filter as we learn that we don't want to see certain traffic anymore.  I will add a configuration variable to enable the old behavior of dynamically creating a capture_filter.  The default capture_filter for 2.1 will probably have a single entry of "ip or not ip" to capture everything.

This should help a lot with the reaction framework (as a fallback method to "shunt" traffic), the BPF based load balancing code, and the load levels framework when that comes back.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the bro-dev mailing list