[Bro] handle out of order and retransmitted packets in offline trace

Song Zhao sxz135 at case.edu
Wed May 25 14:48:00 PDT 2011


Hi, all

Sorry to bother you guys again. I still have some very basic questions about
Bro and http-rewriter.bro.

1. Is the command to use http-rewriter.bro on captured offline trace is as
follows?
     ./bro -r 'the name of tracefile we want to deal with' http-rewriter.bro
- w 'the name of tracefile where we want to write the resulting packets

2. If question 1 is yes, will this command call event engine to reassemble
the TCP bytestrem (reorder out of order packets and delete retranmitted
packets) in the captured trace and then event engine will provide the
ressambled byte stream to the upper level where http-rewriter.bro can
rewrite them?

3. Whether http-rewriter.bro and event engine can deal with a big
trace(about 400GB) correctly which is merged by several traces?

Expect your answer and thank you very much.

Song


On Wed, May 18, 2011 at 1:43 PM, Vern Paxson <vern at icir.org> wrote:

> > Is that function of reassembling TCP bytestream embedded in event engine
> and
> > enabled by default when using http-rewriter.bro
>
> It's fundamental to how the event engine works.
>
>                Vern
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110525/129fd858/attachment.html 


More information about the Bro mailing list