[Bro-Dev] Bro + real-time question

Vern Paxson vern at icir.org
Sun Sep 28 16:57:22 PDT 2014


For performance concerns, it's not clear that individual packets are the
right granularity to examine.  For example, if you stop processing one
packet you might be giving up on any subsequent analysis for the remainder
of its flow, which can have a large amplifying effect (or not) depending
on the size of the flow.

For a different approach to the problem, see section 5.3 ("Dynamically
controlling packet load") in the Operational Experiences paper,
http://www.icir.org/vern/papers/high-volume-ccs04.pdf .

		Vern


More information about the bro-dev mailing list