[Bro] tcp contents
rpang at CS.Princeton.EDU
Tue Nov 30 07:14:06 PST 2004
> event tcp_contents(c: connection, is_orig: bool, seq: count, contents:
> though this won't easily do the right thing in the presence of packet
In fact, tcp_contents won't be affected by packet loss/retransmission,
and it always delivers contents in the order of TCP sequence numbers,
because it is called after TCP reassembly in
1) There can be content gaps in case some packets are not captured by
Bro. Gaps are reported by event content_gap, but you can also tell by
looking at parameter <seq> and length of <contents> of tcp_contents.
2) Also, if the connection is "skipped" (some analyzers, e.g.
Netbios/SSN, will automatically skip after seeing a content gap.)
function skip_further_processing%(cid: conn_id%): bool
the content afterwards won't reach tcp_contents. The same also applies
to "TCP content files".
More information about the Bro