[Bro] Differences in processing multiple traces with BRO and ipsumdump
Jim Mellander
jmellander at lbl.gov
Fri Jul 2 08:57:09 PDT 2010
Vern Paxson wrote:
>> I still puzzled over ipsumdump because the difference in connection number
>> is big and the tool does not give you any hint about the existence of a
>> problem, thus it is easy to get a wrong analysis with bro.
>
> Hmmmm - we make heavy use of ipsumdump for trace analysis, and haven't run
> across this sort of problem before. If you can put together a demonstration
> of the problem, send it to Eddie Kohler <kohler at cs.ucla.edu> (the ipsumdump
> developer), he's quite responsive in fixing bugs. Also, cc me on the note,
> as I'd like to understand the issue better.
>
> Vern
>
I used to use ipsumdump to stitch together multiple pcap files into one, but
have found on occasion that it doesn't always output in timestamp sorted order.
Don't have a testcase right now, but IIRC, it occurred if using a large number
of files.
Consequently, I wrote a little utility 'tcpsort', which although it has its
deficiencies (in memory sort of timestamps which restricts total size of input
files, and two passes thru the input files) works for the purpose of stitching
multiple pcap files together in timestamp sorted order. I can post if if
there's interest.
--
Jim Mellander
Lawrence Berkeley National Laboratory
(510) 486-7204
The reason you are having computer problems is:
knot in cables caused data stream to become twisted and kinked
More information about the Bro
mailing list