[Bro-Dev] [JIRA] (BIT-700) PacketSorter

Seth Hall (JIRA) jira at bro-tracker.atlassian.net
Sun Feb 9 21:36:37 PST 2014


    [ https://bro-tracker.atlassian.net/browse/BIT-700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15511#comment-15511 ] 

Seth Hall commented on BIT-700:
-------------------------------

Robin, I think you're going to have to make the call on this one.

> PacketSorter
> ------------
>
>                 Key: BIT-700
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-700
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>            Reporter: gregor
>            Assignee: Robin Sommer
>              Labels: BroV6,, IPv6
>             Fix For: 2.3
>
>
> (from an e-mail I sent a while ago)
> Might relevant for IPv6 so setting milestone to 2.1
> Hi,
> I was wondering about Bro's packet sorter. From a quick glance it 
> appears that it's only enabled if packet_sort_window is set to a non 
> zero value. When enabled it will sort packets
>    a) based on timestamps and
>    b) for TCP packets based on SEQ/ACK numbers (I presume to ensure that
>       ACKs are delivered after the data packet)
> Note, this is independent from Bro's ability to process multiple trace 
> files (or multiple interfaces) in order. So I was wondering about the 
> use cases for PacketSorter, especially (a)
> If the packet sorter is enabled Bro's behavior will slightly change: It 
> won't pass ARP packets to the ARP analyzer, and it won't create a weird 
> if it's not an IP packet.
> I was just wondering whether anybody has recently used the packet 
> sorter. If not I'm wondering whether we should test this code path to 
> see whether it works correctly esp wrt IPv6.
> Or, actually, whether the packet sorter is worth keeping or whether we 
> should remove the code.
> And another question would be if the TCP sorting would better be handled 
> by the TCP analyzer?
> Opinions?



--
This message was sent by Atlassian JIRA
(v6.2-OD-09-036#6252)


More information about the bro-dev mailing list