[Bro] handle out of order and retransmitted packets in offline trace
sxz135 at case.edu
Wed May 25 22:05:32 PDT 2011
Add one more question:
4. If the command I use is as the one in question 1, which kind of packets
would be filtered? Only TCP packets, right? If so, which ports the packets
use would be filtered?
According to codes of http.bro, global http_ports are
80,81,631,1080,3138,8000,8080 and 8888.
However, when checking the big trace rewritten by the command in question 1,
majority of them are using 20480. Is port 20480 also an http port? Besides,
there are still a small portion with port numbers diffrent from all above.
So I am confused with the filteration of http-rewriter.bro.
Thanks for your help.
On Wed, May 25, 2011 at 5:48 PM, Song Zhao <sxz135 at case.edu> wrote:
> Hi, all
> Sorry to bother you guys again. I still have some very basic questions
> about Bro and http-rewriter.bro.
> 1. Is the command to use http-rewriter.bro on captured offline trace is as
> ./bro -r 'the name of tracefile we want to deal with' http-rewriter.bro - w
> 'the name of tracefile where we want to write the resulting packets
> 2. If question 1 is yes, will this command call event engine to reassemble
> the TCP bytestrem (reorder out of order packets and delete retranmitted
> packets) in the captured trace and then event engine will provide the
> ressambled byte stream to the upper level where http-rewriter.bro can
> rewrite them?
> 3. Whether http-rewriter.bro and event engine can deal with a big
> trace(about 400GB) correctly which is merged by several traces?
> Expect your answer and thank you very much.
> On Wed, May 18, 2011 at 1:43 PM, Vern Paxson <vern at icir.org> wrote:
>> > Is that function of reassembling TCP bytestream embedded in event engine
>> > enabled by default when using http-rewriter.bro
>> It's fundamental to how the event engine works.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro