[Bro-Dev] [JIRA] (BIT-1119) topic/jsiwek/tcp-improvements

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Wed Jan 29 09:47:58 PST 2014 

    [ https://bro-tracker.atlassian.net/browse/BIT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15307#comment-15307 ] 

Jon Siwek commented on BIT-1119:
--------------------------------

{quote}
it's less the volume of output but the potential for confusion: one sees it and starts wondering what's wrong. It's easy to forget that TCP analysis gets confused because the trace is filtered.
{quote}

I might be misremembering (or repressed the details of the TCP code), but isn't the TCP analysis *less* confused in the face of filtered traces with the change?  i.e. things are now most correct and it actually reports content gaps so e.g. missing_bytes fields for connections can be populated.

{quote}
but it's awesome to be able to notify people when things are failing and how they could fix it.
{quote}

I wouldn't say filtered traces fail due to the change, you just get more, possibly unexpected but not incorrect, output.

(I'm just trying to clarify perspective, not really against idea of sampling weirds to issue suggestion/warning)

> topic/jsiwek/tcp-improvements
> -----------------------------
>
>                 Key: BIT-1119
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1119
>             Project: Bro Issue Tracker
>          Issue Type: Improvement
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Jon Siwek
>             Fix For: 2.3
>
>         Attachments: signature.asc
>
>
> This branch is in the bro, bro-testing, and bro-testing-private repos and has a few changes to improve reporting of TCP connection sizes and gaps (commit messages explain in more detail).
> The baseline changes in the external repos all seemed reasonable/explainable (or actually fix a problem).  There's too much changed to go through case-by-case and actually check things, but I did do closer examinations of unique differences as I came across them (e.g. try to corroborate Bro results via wireshark).  Then for those that seem to follow the same trend as something I already inspected, I wouldn't manually check.



--
This message was sent by Atlassian JIRA
(v6.2-OD-07-028#6211)

More information about the bro-dev mailing list