[Bro-Dev] [JIRA] (BIT-1119) topic/jsiwek/tcp-improvements

Robin Sommer (JIRA) jira at bro-tracker.atlassian.net
Wed Jan 29 08:24:58 PST 2014 

    [ https://bro-tracker.atlassian.net/browse/BIT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15305#comment-15305 ] 

Robin Sommer commented on BIT-1119:
-----------------------------------

{quote}
have some script warn if all TCP connections are missing 100% of content and suggest toggling detect_filtered_trace
{quote}

I like that, is that something we can do efficiently?

{quote}
 But if it's actually not that important for a person using filtered traces to minimize output, I think it's fine enough as is?
{quote}

it's less the volume of output but the potential for confusion: one sees it and starts wondering what's wrong. It's easy to forget that TCP analysis gets confused because the trace is filtered. So if there was some way to point that out, that's all it would need. 

It's not a biggie but it's indeed in the same category like the checksums: something easy to get wrong without realizing what's going on, in particular because we're changing the default here.


> topic/jsiwek/tcp-improvements
> -----------------------------
>
>                 Key: BIT-1119
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1119
>             Project: Bro Issue Tracker
>          Issue Type: Improvement
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Jon Siwek
>             Fix For: 2.3
>
>
> This branch is in the bro, bro-testing, and bro-testing-private repos and has a few changes to improve reporting of TCP connection sizes and gaps (commit messages explain in more detail).
> The baseline changes in the external repos all seemed reasonable/explainable (or actually fix a problem).  There's too much changed to go through case-by-case and actually check things, but I did do closer examinations of unique differences as I came across them (e.g. try to corroborate Bro results via wireshark).  Then for those that seem to follow the same trend as something I already inspected, I wouldn't manually check.



--
This message was sent by Atlassian JIRA
(v6.2-OD-07-028#6211)

More information about the bro-dev mailing list