[Bro-Dev] Proposed IOSource reorg

Robin Sommer robin at icir.org
Wed Dec 11 10:48:46 PST 2013 

As I'm working on the reorg, I propose to do the following:

    - Remove flow sources completely for now. Per below, we should
      eventually turn them into a file analyzer and at it doesn't look
      worth the effort (nor the ugliness) to migrate them over to the
      new structure first only to throw them out later. I'd be
      surprised if anybody is using them anyways.

    - Remove the secondary path from the packet-layer code. We have
      discussed this before and at that time decided for keeping the
      code; see https://bro-tracker.atlassian.net/browse/BIT-434

      However, I propose to go ahead and remove now because (1) it
      doesn't really fit the new structure of making the API (mostly)
      pcap-independent (it never really fit in well in the first
      place, and has made the code a lot more complex); (2)
      large-conns.bro seems to be the only actual use case, which we
      don't ship with 2.x anymore, and I'm not convinced that by
      itself warrants a separate data path (can we find a different
      solution to the problem?); and (3) it would be quite a bit of
      additional effort to port the code and make sure it still works
      (we don't have any tests, not surprisingly).

Thoughts?

Robin

On Wed, Dec 04, 2013 at 11:12 -0500, you wrote:

> 
> On Dec 3, 2013, at 1:07 PM, Robin Sommer <robin at icir.org> wrote:
> 
> >    src/iosource/sources/flow-src/*
> 
> To document our conversation from yesterday, flow-src should probably
> be thrown out and the netflow analyzer turned into a file analyzer. 
> Extending the input framework to be able to open raw sockets would
> then enable us to create an input stream holding open a datagram
> socket and attach the netflow file analyzer to it.  This would
> simplify the whole thing and make it possible to reuse the netflow
> analyzer code because we could yank netflow directly off the wire with
> it too (pending some analyzer infrastructure re-architecting).
> 
>   .Seth 
> 
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
> 





-- 
Robin Sommer * Phone +1 (510) 722-6541 *     robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 * www.icir.org/robin

More information about the bro-dev mailing list