[Bro-Dev] [JIRA] (BIT-700) PacketSorter

Robin Sommer (JIRA) jira at bro-tracker.atlassian.net
Thu Feb 13 08:13:38 PST 2014 

    [ https://bro-tracker.atlassian.net/browse/BIT-700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15544#comment-15544 ] 

Robin Sommer commented on BIT-700:
----------------------------------





For using IP timestamps the packet sorter will need work, it's just
looking at pcap timestamps right now. TCP is not a problem though: the
TCP reassembler does already put things in order according to sequence
numbers (having lots of reordering would impact performance though). 


I think there are two different things going in here:

(1) normal packet reordering as it happens on the network: that's not
a problem for Bro, the TCP reassembler takes care of that for TCP and
in any case Bro is seeing the packets in the same order an the end
systems, so its interpretation will match theirs as well, which is all
we need.

(2) tapping introducing additional reordering that the client systems
do not see; that's a problem, and the most typical case is indeed
having two interfaces with uni-directional streams being merged
together.

So if we focus on (2) here I argue that it's a problem better solved
outside of Bro, namely where the packets are captured/passed on.
That's where my suggestion of using Click is coming from. In addition,
that would have the advantage of helping not only Bro but everybody.



> PacketSorter
> ------------
>
>                 Key: BIT-700
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-700
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>            Reporter: gregor
>            Assignee: Robin Sommer
>              Labels: BroV6,, IPv6
>             Fix For: 2.3
>
>
> (from an e-mail I sent a while ago)
> Might relevant for IPv6 so setting milestone to 2.1
> Hi,
> I was wondering about Bro's packet sorter. From a quick glance it 
> appears that it's only enabled if packet_sort_window is set to a non 
> zero value. When enabled it will sort packets
>    a) based on timestamps and
>    b) for TCP packets based on SEQ/ACK numbers (I presume to ensure that
>       ACKs are delivered after the data packet)
> Note, this is independent from Bro's ability to process multiple trace 
> files (or multiple interfaces) in order. So I was wondering about the 
> use cases for PacketSorter, especially (a)
> If the packet sorter is enabled Bro's behavior will slightly change: It 
> won't pass ARP packets to the ARP analyzer, and it won't create a weird 
> if it's not an IP packet.
> I was just wondering whether anybody has recently used the packet 
> sorter. If not I'm wondering whether we should test this code path to 
> see whether it works correctly esp wrt IPv6.
> Or, actually, whether the packet sorter is worth keeping or whether we 
> should remove the code.
> And another question would be if the TCP sorting would better be handled 
> by the TCP analyzer?
> Opinions?



--
This message was sent by Atlassian JIRA
(v6.2-OD-09-036#6252)

More information about the bro-dev mailing list