[Bro-Dev] $history extensions - zero windows, logarithmic counts
Vern Paxson
vern at corelight.com
Mon Jun 18 18:18:58 PDT 2018
> My thought for this was simply if it mattered *where* in the state history
> the trouble occurred.
I agree that it could ... but I think for at least some situations where
it does, for the logs to help in diagnosing them will require something
well beyond indicator flags. It's interesting to consider what these might
look like, but for now I'd like to get this simpler additional functionality
implemented, as I think it'll already be handy - not pointwise for diagnosing
specific connections, but as manifest more in aggregate, such as "gee when
we talk with a.b.0.0/16 we sure to rack up the checksum errors" or such.
> I'm having a tough time thinking up additional use-cases without having
> some sample data, so perhaps the best course is to add what you proposed,
> and then revisit it if we feel like anything's missing.
Sounds good. I'll aim to have a branch that people can try out ready
in a bit.
Vern
More information about the bro-dev
mailing list