[Bro-Dev] #434: Fix secondary path

Bro Tracker bro at tracker.bro-ids.org
Fri Jul 13 19:14:29 PDT 2012

#434: Fix secondary path
  Reporter:  robin   |      Owner:
      Type:  Task    |     Status:  new
  Priority:  Normal  |  Milestone:  Bro2.2
 Component:  Bro     |    Version:
Resolution:          |   Keywords:

Comment (by seth):

 > Concrete example comes from wanting to estimate flow sizes in TCP
 > without having to capture all TCP packets.  You can do this with SYN+FIN
 > packets, except for very large flows that wrap the sequence space, you
 > can't figure out the correct connection size.  large-conns.bro allows
 > figuring this out at only the cost of a pretty inexpensive additional
 > packet filter.

 Instead of doing a secondary filter, does it make sense to have a filter
 which leaves ack packets being allowed through?  You will increase the
 number of packets making it through (the default window for large-conns is
 16KB so you may even get ~16x as many packets).  The difference I see
 though is that for each captured packet with the secondary path mechanism
 it ends up creating a Bro data structure and inserting an event in the
 event queue which is going to have a fair amount of load by itself.

 You have the obvious benefits of complete ack tracking such as monitoring
 for gaps and reusing the existing connection size counting code in the

 There is a lot of infrastructure type work I have ready for the 2.2
 release too which will make a lot of this sort of large and (and possibly
 dynamic) filter creation much easier.  If you write filters dynamically
 that become too large they can start to take a significant amount of time
 to compile but we should be able to work around that by threading the bpf
 compilation step (another use for the 'when' statement?).  Compiled BPF
 filter insertion time doesn't seem to increase with an increase in the
 size of the filter either.

 There is another implicit problem with this example that I don't like in
 that it relies on TCP offsets which don't work in BPF for IPv6 traffic and
 I don't expect that to start working anytime soon.

 I'm not necessarily fighting for or against the secondary path, but I'm
 having a hard time finding a concrete example that can't be done without
 the secondary path.

Ticket URL: <http://tracker.bro-ids.org/bro/ticket/434#comment:6>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list