[Bro] about "reassembles IP fragments"
Christian Kreibich
christian at whoop.org
Fri Oct 22 03:24:51 PDT 2004
Hi,
On Fri, 2004-10-22 at 02:56, cliff wrote:
> Hi all,
> In Vern's paper,bro:a system for detecting network intruders in real-time,there are the following sentences:
> "The resulting filtered packet stream is then handed up to the next layer, the Bro ``event engine.'' This layer first performs several integrity checks to assure that the packet headers are well-formed, including verifying the IP header checksum. If these checks fail, then Bro generates an event indicating the problem and discards the packet. It is also at this point that Bro reassembles IP fragments so it can then analyze complete IP datagrams."
> Howerver,I can't find the implementation detail from source code,i.e."verifying the IP header checksum" and "reassembles IP fragments".
> I wish get your help.Thanks a lot!
for IP checksumming, check Sessions.cc around 261 (assuming a 0.9a4a
tree). "grep -i checksum *.cc" also helps :) Fragment reassembly is done
in Frag.cc.
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list