Weekly Report -- 05/08/2011




Short week this week, as I was in Wellington on Thursday and Friday.

Managed to get Bro running and producing results that I could replicate with a libtrace program. Found that Bro was tracking TCP state incorrectly - it would often describe a TCP flow as both established and closed correctly when, in fact, no SYNs were observed at all. Reported the bug to the Bro team and decided to use my state classifications from now on.

Wrote a libpcap program that was equivalent to the libtrace program to compare the performance of the two. Surprisingly, the "zcat | dagconvert | libpcap" run was quite a bit faster than the "libtrace" equivalent. Profiled the libtrace program and managed to find a couple of opportunities for speeding things up, mostly through increased caching. The libpcap program is still slightly faster now, but the gap has closed significantly.