[Bro] Bro: TCP reassembly question
Ruoming Pang (庞若鸣)
rpang at cs.princeton.edu
Thu Jan 26 11:12:11 PST 2006
Hi Thomas,
I'd like to first clarify that the TCP reassembler does not have to
putting different blocks in a single buffer. Instead, its job is to
deliver the bytes in order, no matter how many bytes it delivers at a
time. On top of that, some ASCII protocol analyzers (such as HTTP)
employ a line reassembler, while binary protocol analyzers (such as
RPC) have their own frame reassembler. Therefore, the TCP reassembler
uses a linked list, instead of a single buffer, for TCP reassembly.
> When does bro allocate memory for doing reassembly (putting the
> different blocks of data together) ?
In theory, the TCP reassembler only needs to copy segments that arrive
out of order. In practice, though, Bro makes a copy of every segment,
and deallocate the copy once it is delivered.
> What is the size of the reassembly buffer ? Does that grow ? till what
> size does it grow ?
That's a great question. I'm not aware of any cap on the total size of
reassembly buffers.
I hope that I answered your questions.
Ruoming
On Jan 26, 2006, at 12:52 PM, Adayadil Thomas wrote:
> Greetings.
>
> I have a couple of questions about BRO's tcp stream reassembly.
> Please reply if you have answers.
>
> When does bro allocate memory for doing reassembly (putting the
> different blocks of data together) ?
> Does it append to this same buffer when subsequent stream data comes ?
> What is the size of the reassembly buffer ? Does that grow ? till
> what size does it grow ?
>
>
> Any information or pointers is appreciated.
>
> Thanks a lot
> Thomas
More information about the Bro
mailing list