[Bro] handle out of order and retransmitted packets in offline trace
vern at icir.org
Thu May 26 21:23:51 PDT 2011
> 1. Is the command to use http-rewriter.bro on captured offline trace is as
> ./bro -r 'the name of tracefile we want to deal with' http-rewriter.bro
> - w 'the name of tracefile where we want to write the resulting packets
It's -A, not -w.
> 2. If question 1 is yes, will this command call event engine to reassemble
> the TCP bytestrem (reorder out of order packets and delete retranmitted
> packets) in the captured trace and then event engine will provide the
> ressambled byte stream to the upper level where http-rewriter.bro can
> rewrite them?
> 3. Whether http-rewriter.bro and event engine can deal with a big
> trace(about 400GB) correctly which is merged by several traces?
It should be able to, though that code hasn't been stressed all that
much and might wind up having a memory leak (or simply memory that
doesn't get reclaimed), which could cause it to blow up on a really
> 4. If the command I use is as the one in question 1, which kind of packets
> would be filtered? Only TCP packets, right? If so, which ports the packets
> use would be filtered?
http-rewriter loads http-reply.bro, which specifies the filter as:
tcp src port 80 or tcp src port 8080 or tcp src port 8000
> According to codes of http.bro, global http_ports are
> 80,81,631,1080,3138,8000,8080 and 8888.
Note, that list is used only if you turn on DPD.
> However, when checking the big trace rewritten by the command in question 1,
> majority of them are using 20480. Is port 20480 also an http port?
Well, other than 80, none of them is a standardized HTTP port. But you
can add 20480 to the list in http-reply.bro to ensure it's captured.
> there are still a small portion with port numbers diffrent from all above.
> So I am confused with the filteration of http-rewriter.bro.
Then in principle you should use DPD. However, I don't know whether
it's integrated with the rewriting framework.
More information about the Bro