[Bro] ConnCompressor, TCP options
James Swaro
james.swaro at gmail.com
Thu Jan 6 17:58:28 PST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/06/2011 07:20 PM, Robin Sommer wrote:
>
> On Thu, Jan 06, 2011 at 15:50 -0500, you wrote:
>
>> Why is initial packet faked and not passed as originally observed?
>
> Because it is not completely stored at that point. For a
> connection's initial packet, the compressor remembers only what's
> necessary for later analyzing it in full if more packets are coming
> in. That saves a lot of memory (and CPU actually) for things like
> scans and floods because for all those connections, Bro needs hardly
> any resources.
>
>> Can you disable the use of the compressor? If so, how ?
>
> See other mail. For an offline trace analysis, you probably want to
> do that.
>
> Robin
>
Thank you for both answers. The first was a curiosity question and the
second, a necessity. Thank you, and rmkml for the prompt answers.
- --
- -James
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJNJnNAAAoJEDmtrYOauimSMYQH/AgcauOcaMshYNT8AmtwjBwv
lebjyBVxjbSCKkuoD+3TdMeaQ6mU6CtIdKDy2lGhNYcw7jVP6q5cPAad4E2qE+cX
YquqpcwOc8hqWwiUnc6NU5AQehFneZMNoeOo6qu54Z8tCDk0D/0PtXQcISCFD86R
aORD0ljHRh4WLnOFNoFOep3V2K4JqdzP+6xhqFC4eZCnLMT4/oY1mGyjOVLP5A37
uCpBxN27pQdSbHc3IAxcUNvJ65XRzYxv6OVKdDaa8Qb4ri5xYoMnShpNkq+pPWfa
ox2KO1K9eFN/vvogh+B1jic1pThsxSWMHeg4pMxa13j4NRgoU+w0BELTiWOWPeE=
=yAdE
-----END PGP SIGNATURE-----
More information about the Bro
mailing list