Hi,
since my tunnel decapsulation code can't propagate the identity of the tunnel's parent and since the connection compressor doesn't work with IPv6 yet, I was wondering whether it actually still saves a significant amount of memory or not.
So, I've done some benchmarks and it appears that the connection compressor doesn't help much more these days given that we accept all packets by default.
* 107GB trace, 5M conns, with http and conn:
memory and runtime unchanged.
same trace with bro-1.5, conn, http-request, http-response, filter that
* accepts all packets:
runtime unchanged. Memory 202MB vs. 215MB
* same trace, only SYN,FIN,RST packets:
memory and runtime unchanged
* pure SYN trace, 34M conns (==SYNs): that's the only case were I saw
a difference:
no-CC: 1613s, 276MB
So, all in all, it appears that the connection compressor doesn't help much anymore these days and given that has been in pain in the past and that we'd have to extend it to support IPv6 as well, I would opt for removing it.
(BTW, I've briefly talked to Robin about that before I did the benchmark and the thought was, that just disabling the connection compressor by default is not a good idea, since it would almost certainly fall in disuse and would succumb to bit-rot. So we should either keep it and leave it on per default, or remove the code)
cu
Gregor