As I'm working on the reorg, I propose to do the following: - Remove flow sources completely for now. Per below, we should eventually turn them into a file analyzer and at it doesn't look worth the effort (nor the ugliness) to migrate them over to the new structure first only to throw them out later. I'd be surprised if anybody is using them anyways.
- Remove the secondary path from the packet-layer code. We have discussed this before and at that time decided for keeping the code; see https://bro-tracker.atlassian.net/browse/BIT-434 However, I propose to go ahead and remove now because (1) it doesn't really fit the new structure of making the API (mostly) pcap-independent (it never really fit in well in the first place, and has made the code a lot more complex); (2) large-conns.bro seems to be the only actual use case, which we don't ship with 2.x anymore, and I'm not convinced that by itself warrants a separate data path (can we find a different solution to the problem?); and (3) it would be quite a bit of additional effort to port the code and make sure it still works (we don't have any tests, not surprisingly). Thoughts? Robin On Wed, Dec 04, 2013 at 11:12 -0500, you wrote: > > On Dec 3, 2013, at 1:07 PM, Robin Sommer <ro...@icir.org> wrote: > > > src/iosource/sources/flow-src/* > > To document our conversation from yesterday, flow-src should probably > be thrown out and the netflow analyzer turned into a file analyzer. > Extending the input framework to be able to open raw sockets would > then enable us to create an input stream holding open a datagram > socket and attach the netflow file analyzer to it. This would > simplify the whole thing and make it possible to reuse the netflow > analyzer code because we could yank netflow directly off the wire with > it too (pending some analyzer infrastructure re-architecting). > > .Seth > > -- > Seth Hall > International Computer Science Institute > (Bro) because everyone has a network > http://www.bro.org/ > -- Robin Sommer * Phone +1 (510) 722-6541 * ro...@icir.org ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev