Question on discarder_* functions in version 7a90
Vern Paxson
vern at aciri.org
Wed Sep 19 23:09:03 PDT 2001
> I've gotten the new version of bro, there're some changes but the most =
> curious change is a serie of discarder_* functions and their input type =
> *_hdr. Could you draw some hints on their usages?
These are functions that, if you define them, are called on a per-packet
basis. Your function needs to return either T, indicating that the packet
should be discarded and not processed further, or F, indicating that the
packet should be kept.
Discarders are basically a hack introduced to facilitate some of the
stepping-stone analysis (you can use them to trim a large trace file down
to a subset, where the definition of the subset is too complicated to fit
into a tcpdump filter, but can easily fit into a Bro table that the
discarder function consults). They provide quite-general, but not very
efficient, functionality.
Vern
More information about the Bro
mailing list