Hi,<br><br>I have a question regarding running Bro on a application-level TCP byte stream, and was wondering which implementation option to choose. Any help is much appreciated! Details below.<br><br>I have access to a application-level byte stream (eg: say, a http session consisting of http put and get packets) that I would like to run Bro on it in an online fashion (I specifically plan to use its trace anonymization capabilities). I do not have access to the corresponding TCP byte stream / IP byte stream, but I do have the TCP state information required (source/dest addr, source/dest port). I am wondering how to have Bro process these packets. I can think of the following ways by reading the various docs, but am not sure whether there is anything else I have missed.<br>
<br>1. Cook up fake link-layer, TCP,IP headers, and feed Bro via a FIFO.<br><br>2. Use Brocolli to send really low-level events (events being "so and so bytes seen on so and so conn"). These events have to be low-level because I am trying to minimize any application-specific parsing before sending to Bro.<br>
<br>3. Use the Bro source code directly, and somehow instantiate an analyzer directly on the byte-stream. Any state needed (such as connection endpoints) have to be cooked up.<br><br>After reading the source code and various docs, I am tending towards (3), since it won't have the performance hit of a FIFO/broccoli, but am wondering whether the state is seperable enough for me to do this.<br>
<br>Thanks in advance, and if anything is not clear, please let me know,<br><br>Jayanth<br>