Hello,
What is the behaviour of Bro when “suspend_processing” is called. What i have observed is Bro is buffering packets in suspended state.
Can any one help me out how to avoid buffering the packets in suspended state.
Thanks,
Surya
No, it's not buffering packets, it just stops processing them (i.e.,
the kernel will drop packets once its internal buffers are
exhausted).
What are you using suspend_processing() for?
Robin
No, it’s not buffering packets, it just stops processing them (i.e.,
the kernel will drop packets once its internal buffers are
exhausted).
Once its resumed will the buffered packets processed by Bro ?.
In our case we doesn’t want this.
Is it possible to stop capturing the packets at libpcap level and later resume capturing the packets with out libpcap initialization.
Thanks,
Surya
As far as I know, there's no way to tell pcap to clear all internal
buffers. What one could do is close the interface and reopen it. Or
one could just eat all old packets without actually processing them
after calling continue_processing(). However, Bro does not support
either at the moment.
Robn