I am developing a module for offline analysis of bulk traces to detect
and categorize TCP behavior when a retransmission takes place. I was
browsing through ConnCompressor.cc when I read the heading at the top of
the file.
Why is initial packet faked and not passed as originally observed? Is it
something specific about the use of Bro as an IDS?
Can you disable the use of the compressor? If so, how ?
Thanks!
Hi James,
For disable it, change on policy/bro.init:
const use_connection_compressor = F &redef;
Regards
Rmkml
Why is initial packet faked and not passed as originally observed?
Because it is not completely stored at that point. For a
connection's initial packet, the compressor remembers only what's
necessary for later analyzing it in full if more packets are coming
in. That saves a lot of memory (and CPU actually) for things like
scans and floods because for all those connections, Bro needs hardly
any resources.
Can you disable the use of the compressor? If so, how ?
See other mail. For an offline trace analysis, you probably want to
do that.
Robin
Thank you for both answers. The first was a curiosity question and the
second, a necessity. Thank you, and rmkml for the prompt answers.
- --
- -James