[Bro] handle out of order and retransmitted packets in offline trace

Vern Paxson vern at icir.org
Thu May 26 21:23:51 PDT 2011


> 1. Is the command to use http-rewriter.bro on captured offline trace is as
> follows?
>      ./bro -r 'the name of tracefile we want to deal with' http-rewriter.bro
> - w 'the name of tracefile where we want to write the resulting packets

It's -A, not -w.

> 2. If question 1 is yes, will this command call event engine to reassemble
> the TCP bytestrem (reorder out of order packets and delete retranmitted
> packets) in the captured trace and then event engine will provide the
> ressambled byte stream to the upper level where http-rewriter.bro can
> rewrite them?

Yep.

> 3. Whether http-rewriter.bro and event engine can deal with a big
> trace(about 400GB) correctly which is merged by several traces?

It should be able to, though that code hasn't been stressed all that
much and might wind up having a memory leak (or simply memory that
doesn't get reclaimed), which could cause it to blow up on a really
big input.

> 4. If the command I use is as the one in question 1, which kind of packets
> would be filtered? Only TCP packets, right? If so, which ports the packets
> use  would be filtered?

http-rewriter loads http-reply.bro, which specifies the filter as:

	tcp src port 80 or tcp src port 8080 or tcp src port 8000

> According to codes of http.bro, global http_ports are
> 80,81,631,1080,3138,8000,8080 and 8888.

Note, that list is used only if you turn on DPD.

> However, when checking the big trace rewritten by the command in question 1,
> majority of them are using 20480. Is port 20480 also an http port?

Well, other than 80, none of them is a standardized HTTP port.  But you
can add 20480 to the list in http-reply.bro to ensure it's captured.

> Besides,
> there are still a small portion with port numbers diffrent from all above.
> So I am confused with the filteration of http-rewriter.bro.

Then in principle you should use DPD.  However, I don't know whether
it's integrated with the rewriting framework.

		Vern



More information about the Bro mailing list