[Bro] Endace support in use?

[Robin Sommer]

On Tue, Nov 02, 2010 at 17:02 -0600, Jason Ish wrote:

> We’re seeing need from the Government space to retain this, and of
> course we’d like to see it retained as well.

Hmm ... As I had not heard from anybody in reply to my original
mail, we have actually already moved ahead and removed the code from
the current development version. We are in the process of
restructuring Bro's packaging and installation setup, and while
doing so, we are removing a number of things that don't appear to be
in serious use anywhere, primarily to reduce the future maintainace
burden. 

Do you have an idea how many sites will be affected by not having
the Endace API support in Bro? What is actually the advantage of
using the native API over the libpcap wrapper (which is what
everbody I heard from is currently doing already)?

> We’re happy to put some work to maintain it if you can leave it in
> please. 

Thanks for the offer. I think what we could do is postpone this for
now until we get closer to the next release and then revisit the
question and potentially add the support back in if that would be
really helpful for some sites. Doing so should generally be pretty
straight-forward but we'd indeed need some help with that to make
sure it's working as expected as we don't have any of the cards
available ourselves. Does that sound ok for now?

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org