On 7/11/19 3:06 PM, Guy Harris wrote:
I.e., compute the community ID for the flow to which a packet belongs, and add it to the protocol tree as a calculated field?
Yep, exactly.
How about a higher-level pseudo-code description of the algorithm? That way, it 1) doesn't require the implementer to know Python, 2) doesn't include irrelevant details such as code to use dpkt to read a pcap file, etc..
Yep, sorely missing and duly noted. There's some history here -- the
folks working on the two initial implementations (in Zeek and Suricata)
worked from dummy code directly, and we still haven't updated the "spec"
to be more useful.
Thanks!
Christian