That makes sense. I'll go ahead and read through that paper. Thanks for the reference!
-Gilbert ________________________________________ From: Vern Paxson <[email protected]> Sent: Sunday, September 28, 2014 7:57 PM To: Clark, Gilbert Cc: [email protected] Subject: Re: [Bro-Dev] Bro + real-time question For performance concerns, it's not clear that individual packets are the right granularity to examine. For example, if you stop processing one packet you might be giving up on any subsequent analysis for the remainder of its flow, which can have a large amplifying effect (or not) depending on the size of the flow. For a different approach to the problem, see section 5.3 ("Dynamically controlling packet load") in the Operational Experiences paper, http://www.icir.org/vern/papers/high-volume-ccs04.pdf . Vern _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
