Dear all,
I have a very basic question about how bro Bro handles network traffic. I am doing some processing on each packet that Bro sees. If the processing time is longer than the packet arriving interval, will Bro block the new packet or buffer the new packet event and deal with it later? If it is buffered, will the event be dropped if the buffer is full?
Thanks,
Wenyu
The packet will be lost once the NIC buffers are exceeded.
.Seth
Hi Seth,
Thanks for the answer. I still have some confusion about this. So the next packet will be buffered at the NIC before Bro finishes processing the current one? Are there chances that two or more packets are processed concurrently? Is this still true if I am using captured traffic traces?
And if Bro runs a periodic job consuming non-negligible cpu power, how will that affect the packet processing? Will that block the packets from being processed?
Thanks a lot,
Wenyu