[Bro] ConnCompressor, TCP options
Robin Sommer
robin at icir.org
Thu Jan 6 16:20:29 PST 2011
On Thu, Jan 06, 2011 at 15:50 -0500, you wrote:
> Why is initial packet faked and not passed as originally observed?
Because it is not completely stored at that point. For a
connection's initial packet, the compressor remembers only what's
necessary for later analyzing it in full if more packets are coming
in. That saves a lot of memory (and CPU actually) for things like
scans and floods because for all those connections, Bro needs hardly
any resources.
> Can you disable the use of the compressor? If so, how ?
See other mail. For an offline trace analysis, you probably want to
do that.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list