[Bro] Question about processing network traffic
Ren, Wenyu
wren3 at illinois.edu
Wed Apr 15 09:36:21 PDT 2015
Hi Seth,
Thanks for the answer. I still have some confusion about this. So the next packet will be buffered at the NIC before Bro finishes processing the current one? Are there chances that two or more packets are processed concurrently? Is this still true if I am using captured traffic traces?
And if Bro runs a periodic job consuming non-negligible cpu power, how will that affect the packet processing? Will that block the packets from being processed?
Thanks a lot,
Wenyu
________________________________________
From: Seth Hall [seth at icir.org]
Sent: Wednesday, April 15, 2015 7:18 AM
To: Ren, Wenyu
Cc: bro at bro.org
Subject: Re: [Bro] Question about processing network traffic
> On Apr 14, 2015, at 6:20 PM, Ren, Wenyu <wren3 at illinois.edu> wrote:
>
> I have a very basic question about how bro Bro handles network traffic. I am doing some processing on each packet that Bro sees. If the processing time is longer than the packet arriving interval, will Bro block the new packet or buffer the new packet event and deal with it later? If it is buffered, will the event be dropped if the buffer is full?
The packet will be lost once the NIC buffers are exceeded.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list