[Bro-Dev] [JIRA] (BIT-1119) topic/jsiwek/tcp-improvements

Wed, 29 Jan 2014 09:55:53 -0800 

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15307#comment-15307
 ] 

Jon Siwek commented on BIT-1119:
--------------------------------

{quote}
it's less the volume of output but the potential for confusion: one sees it and 
starts wondering what's wrong. It's easy to forget that TCP analysis gets 
confused because the trace is filtered.
{quote}

I might be misremembering (or repressed the details of the TCP code), but isn't 
the TCP analysis *less* confused in the face of filtered traces with the 
change?  i.e. things are now most correct and it actually reports content gaps 
so e.g. missing_bytes fields for connections can be populated.

{quote}
but it's awesome to be able to notify people when things are failing and how 
they could fix it.
{quote}

I wouldn't say filtered traces fail due to the change, you just get more, 
possibly unexpected but not incorrect, output.

(I'm just trying to clarify perspective, not really against idea of sampling 
weirds to issue suggestion/warning)

> topic/jsiwek/tcp-improvements
> -----------------------------
>
>                 Key: BIT-1119
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1119
>             Project: Bro Issue Tracker
>          Issue Type: Improvement
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Jon Siwek
>             Fix For: 2.3
>
>         Attachments: signature.asc
>
>
> This branch is in the bro, bro-testing, and bro-testing-private repos and has 
> a few changes to improve reporting of TCP connection sizes and gaps (commit 
> messages explain in more detail).
> The baseline changes in the external repos all seemed reasonable/explainable 
> (or actually fix a problem).  There's too much changed to go through 
> case-by-case and actually check things, but I did do closer examinations of 
> unique differences as I came across them (e.g. try to corroborate Bro results 
> via wireshark).  Then for those that seem to follow the same trend as 
> something I already inspected, I wouldn't manually check.



--
This message was sent by Atlassian JIRA
(v6.2-OD-07-028#6211)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to