Apologies for resurrecting an old thread. I'm wondering if anyone has given any further thought to or done any work on this. While looking at BIT-1480 (adding ERSPAN decapsulation support), I was reminded of what a mess Sessions.cc currently is. I think moving towards passing a Packet structure around would help to simplify things a lot - possibly by breaking up the code into per-protocol classes.
Curious to hear any thoughts. Thanks, --Vlad On Thu, May 7, 2015 at 4:17 PM, Thomas, Eric D <[email protected]> wrote: > That sounds good! Both ideas seem to add an interesting level of > additional flexibility and analytic potential. > -- > Eric Thomas > [email protected] > > > > > On 4/29/15, 4:59 PM, "Robin Sommer" <[email protected]> wrote: > > >What if we did a combination of what I suggested and your thoughts > >here? We carry link-level features through to script-land inside the > >connection record, and in addition allowed to transfer a custom subset > >over to the connection ID for hashing? The latter could be done later > >as a second step. > > > >Robin > > > >On Tue, Apr 28, 2015 at 18:32 +0000, you wrote: > > > >> Hi Robin, > >> > >> I thought more about your generalized idea and would like to follow up. > >>To > >> start, adding link-level features to the connection ID hash, while > >>perhaps > >> useful in some contexts, does not provide us the functionality we > >>desire. > >> I have an incoming feed of VLAN-tagged traffic (both VLAN and 802.1ah) > >> with perhaps dozens of different VLANs, and I would like to handle the > >> connections differently in scripts but also mainly in offline log > >>analysis > >> depending upon which VLANs the traffic is associated with. > >> > >> Initially I had proposed simply adding the VLAN Ids to the conn.log > >>file, > >> but that is certainly too specific of a solution. What are your thoughts > >> on exposing link-level features at the script layer for connections? For > >> example, if all observed VLAN tags for a connection were in a set > >>variable > >> of the script-level Connection record, I could then label my data by > >> matching VLAN Ids, then process them differently accordingly. Thoughts? > >> > > > > > >-- > >Robin Sommer * Broala, LLC * [email protected] * www.broala.com > > > _______________________________________________ > bro-dev mailing list > [email protected] > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev >
_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
