[Bro] handle out of order and retransmitted packets in offline trace

Ruoming Pang rpang at cs.princeton.edu
Fri May 27 10:27:58 PDT 2011


On Fri, May 27, 2011 at 11:22 AM, Song Zhao <sxz135 at case.edu> wrote:

> > 1. Is the command to use http-rewriter.bro on captured offline trace is
> as
> > follows?
> >      ./bro -r 'the name of tracefile we want to deal with'
> http-rewriter.bro
> > - w 'the name of tracefile where we want to write the resulting packets
>
>    >>It's -A, not -w.
>
> Will there be any difference between  -A and -w for the use of
> http-rewriter.bro?  I just used -A to rewrite some examples and it seems
> that the resulting files are the same as those one using - w.
>
> > According to codes of http.bro, global http_ports are
>  > 80,81,631,1080,3138,8000,8080 and 8888.
>
> Note, that list is used only if you turn on DPD.
>
> > Besides,
> > there are still a small portion with port numbers diffrent from all
> above.
> > So I am confused with the filteration of http-rewriter.bro.
>
> Then in principle you should use DPD.  However, I don't know whether
> it's integrated with the rewriting framework.
>
> The command I used is only " ./bro -r readfile http-rewriter.bro -w
> writerfile.


I'm not sure if it still matters, but one used to need to special all
options before arguments, so try:

./bro -r readfile -A writerfile http-rewriter.bro


> I don't know if DPD is turned on. Actually, http.bro is loaded by
> http-request.bro, which is also loaded by http-reply.bro. In http.bro, I
> think there are codes about DPD as follows:
> # DPM configuration.
> global http_ports = {
>     80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp,
>     8000/tcp, 8080/tcp, 8888/tcp,
> };
> redef dpd_config += { [ANALYZER_HTTP] = [$ports = http_ports] };
> redef dpd_config += { [ANALYZER_HTTP_BINPAC] = [$ports = http_ports] };
> Dose it mean DPD has been integrated within the rewriting framework? And
> whether  it is reason why the majority of rewritten trace I got is from port
> 20480 and also from some ports other than 80,8000,8080?
>
> Thanks a lot.
>
> Song
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110527/167083e0/attachment.html 


More information about the Bro mailing list