[Bro] tcp contents

john mcnicholas jomcn at mail.com
Mon Nov 29 18:45:54 PST 2004


> If you want todo it online while also doing other work, then a
> natural way would be something like:
> 
>	global interesting_services = { smtp, http, };
>
>	event connection_established(c: connection)
>		{
>		if ( c$id$resp_p in interesting_services )
>			demux_conn(c$id, "interesting", "orig", "resp");
>		}
>
>(with the caveat that I haven't tested this) 

Thanks for the tip. 

Good news: I went ahead and tested it and it worked fine when saving the
contents to 2 separate files.
Bad news:  Although it took just a simple modification to a copy of
"demunx_conn()", I couldn't get it to work when writing to 1 file by using
the CONTENTS_BOTH flag.

Assuming the above observations are true, then unless someone can state why
CONTENTS_BOTH has problems I will go ahead and continue investigating
tomorrow.

More details on the "bad news":

- at a minimum the data is not ordered properly.  this is readily apparent
when examining the POP3 protocol when there isn't any mail to deliver.
perhaps it is as simple as the data being cached and then flushed?  (I'm now
suspicious of this, and will look at it tomorrow. sorry for the premature
post.)

- for HTTP it also appeared the data was not properly ordered.  i can't say
for certain but it appeared that the first "get" was frequently missing
while the response was properly added.

- two workarounds for the above were to either 
	a: have the HTTP_Conn or SMTP_Conn classes constructed by inserting
the empty "events" for those analyzers (correct term?)
	b: instantiating the TCP_TransactionContents class for HTTP, SMTP,
and POP3.  The simple class seems to flush the data properly.

Perhaps I'm swimming upstream by trying to use the single file approach, but
it really does seem doable.

Thanks for the help.

John




More information about the Bro mailing list