[Bro] tcp contents

Ruoming Pang rpang at CS.Princeton.EDU
Tue Nov 30 07:14:06 PST 2004


> event tcp_contents(c: connection, is_orig: bool, seq: count, contents: 
> string)
>
> though this won't easily do the right thing in the presence of packet
> loss/retransmission.

In fact, tcp_contents won't be affected by packet loss/retransmission, 
and it always delivers contents in the order of TCP sequence numbers, 
because it is called after TCP reassembly in 
TCP_Contents::DeliverBlock(). However:

1) There can be content gaps in case some packets are not captured by 
Bro. Gaps are reported by event content_gap, but you can also tell by 
looking at parameter <seq> and length of <contents> of tcp_contents.

2) Also, if the connection is "skipped" (some analyzers, e.g. 
Netbios/SSN, will automatically skip after seeing a content gap.)

function skip_further_processing%(cid: conn_id%): bool

the content afterwards won't reach tcp_contents. The same also applies 
to "TCP content files".

Ruoming




More information about the Bro mailing list