[Bro] handle out of order and retransmitted packets in offline trace
sxz135 at case.edu
Tue May 17 17:24:50 PDT 2011
Is that function of reassembling TCP bytestream embedded in event engine and
enabled by default when using http-rewriter.bro, or there is a policy
script we need to call to sort out the tcp packets? Thanks.
On Mon, May 16, 2011 at 7:25 PM, Vern Paxson <vern at icir.org> wrote:
> > Can Bro itself differentiate these retransmitted and out of order
> It's not clear what you mean by differentiate. Bro reassembles the
> TCP bytestream, correctly acounting for retransmitted and out-of-order
> > Besides, can http-rewriter.bro handle the special HTTP packet which, for
> > example, includes 2 or more requests or response or even one and half
> > requests or responses?
> Per Ruoming's earlier comment, http-rewriter.bro does *not* operate on
> individual packets, it operates on the reassembled bytestream. It then
> constructs new packets from that bytestream. The timing of these packets
> reflects the timing of the original packets, but the *sequencing* of the
> packets does not.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro