[Bro] handle out of order and retransmitted packets in offline trace
vern at icir.org
Mon May 16 16:25:35 PDT 2011
> Can Bro itself differentiate these retransmitted and out of order packets?
It's not clear what you mean by differentiate. Bro reassembles the
TCP bytestream, correctly acounting for retransmitted and out-of-order
> Besides, can http-rewriter.bro handle the special HTTP packet which, for
> example, includes 2 or more requests or response or even one and half
> requests or responses?
Per Ruoming's earlier comment, http-rewriter.bro does *not* operate on
individual packets, it operates on the reassembled bytestream. It then
constructs new packets from that bytestream. The timing of these packets
reflects the timing of the original packets, but the *sequencing* of the
packets does not.
More information about the Bro