For performance concerns, it's not clear that individual packets are the right granularity to examine. For example, if you stop processing one packet you might be giving up on any subsequent analysis for the remainder of its flow, which can have a large amplifying effect (or not) depending on the size of the flow.
For a different approach to the problem, see section 5.3 ("Dynamically controlling packet load") in the Operational Experiences paper, http://www.icir.org/vern/papers/high-volume-ccs04.pdf . Vern _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev