[Bro] tcp contents
Ruoming Pang
rpang at CS.Princeton.EDU
Tue Nov 30 07:14:06 PST 2004
> event tcp_contents(c: connection, is_orig: bool, seq: count, contents:
> string)
>
> though this won't easily do the right thing in the presence of packet
> loss/retransmission.
In fact, tcp_contents won't be affected by packet loss/retransmission,
and it always delivers contents in the order of TCP sequence numbers,
because it is called after TCP reassembly in
TCP_Contents::DeliverBlock(). However:
1) There can be content gaps in case some packets are not captured by
Bro. Gaps are reported by event content_gap, but you can also tell by
looking at parameter <seq> and length of <contents> of tcp_contents.
2) Also, if the connection is "skipped" (some analyzers, e.g.
Netbios/SSN, will automatically skip after seeing a content gap.)
function skip_further_processing%(cid: conn_id%): bool
the content afterwards won't reach tcp_contents. The same also applies
to "TCP content files".
Ruoming
More information about the Bro
mailing list