[Bro-Dev] [JIRA] (BIT-700) PacketSorter
Bernhard Amann (JIRA)
jira at bro-tracker.atlassian.net
Fri Feb 28 14:59:19 PST 2014
[ https://bro-tracker.atlassian.net/browse/BIT-700?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15605#comment-15605 ]
Bernhard Amann edited comment on BIT-700 at 2/28/14 4:59 PM:
-------------------------------------------------------------
sorry, me bad. Yes, delete. That was kind of the motivation for the patch :)
was (Author: amannb):
Uh.
Sorry. Und ich dachte, dass ich einmal einen problemfreien patch hinbekommen hab… das hab ich vergessen :(
> PacketSorter
> ------------
>
> Key: BIT-700
> URL: https://bro-tracker.atlassian.net/browse/BIT-700
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Reporter: gregor
> Assignee: Robin Sommer
> Labels: BroV6,, IPv6
> Fix For: 2.4
>
>
> (from an e-mail I sent a while ago)
> Might relevant for IPv6 so setting milestone to 2.1
> Hi,
> I was wondering about Bro's packet sorter. From a quick glance it
> appears that it's only enabled if packet_sort_window is set to a non
> zero value. When enabled it will sort packets
> a) based on timestamps and
> b) for TCP packets based on SEQ/ACK numbers (I presume to ensure that
> ACKs are delivered after the data packet)
> Note, this is independent from Bro's ability to process multiple trace
> files (or multiple interfaces) in order. So I was wondering about the
> use cases for PacketSorter, especially (a)
> If the packet sorter is enabled Bro's behavior will slightly change: It
> won't pass ARP packets to the ARP analyzer, and it won't create a weird
> if it's not an IP packet.
> I was just wondering whether anybody has recently used the packet
> sorter. If not I'm wondering whether we should test this code path to
> see whether it works correctly esp wrt IPv6.
> Or, actually, whether the packet sorter is worth keeping or whether we
> should remove the code.
> And another question would be if the TCP sorting would better be handled
> by the TCP analyzer?
> Opinions?
--
This message was sent by Atlassian JIRA
(v6.2-OD-09-036#6252)
More information about the bro-dev
mailing list