Arne Welzel

(mostly food for thought) reading the wireshark docs: > A TCP stream is treated as like data from other pipes and the same restrictions apply. On each new connection the...

> Many installations currently use a nc localhost 57012 | tcpreplay - combo to feed packets from PCAP-over-IP into Zeek. That’s a tolerable solution for most, May or may not...

> > Seems like an ordinary TCP load balancer (without application layer specific handling) will do if the aim is to sink multiple PCAP-over-TCP connections on multiple workers. > >...

Let me throw this out here: It seems re-parse.c is generated twice during a parallel make and maybe that makes a follow-up `cc` process see a corrupted version? The Build...

Hmm, should we re-open this issue until the fix is in the zeek repo? I've just had another occurrence here: https://cirrus-ci.com/task/5684539941978112

@vpax - is this something you could take a peek at? I've stared but weren't able to figure it out. I suspect the frame size of the generated lambda needs...

> The main driver for this is symmetry with protocol and file analyzers, right? Yes. > If so, the third option sounds appealing to me — it looks like the...

> How about a lighter-weight version of (3): I'd say the main API to align is the managers' DisableAnalyzer methods. That's what for protocol analyzers then branches out into the...

So #2443 implemented a "fast version of (3)". I'm currently unclear if we actually want to do some version of (2) in the near future where individual entries of the...

Doing the same with spicy-plugin, it's stopping earlier with `built-in function Spicy::__toggle_analyzer multiply defined`: ``` $ zeek -N error in /opt/zeek-dev/lib/zeek/plugins/Zeek_Spicy/lib/bif/./events.bif.zeek, line 7 and /home/awelzel/corelight-oss/zeek/build/scripts/base/bif/plugins/./Zeek_Spicy.events.bif.zeek, line 7: alternate function prototype...