[Bro] handle out of order and retransmitted packets in offline trace
Song Zhao
sxz135 at case.edu
Sun May 15 21:05:43 PDT 2011
Hello, All
I am trying to use the policy script http-rewriter.bro in Bro-1.5.1 to
anonymize the HTTP message-body of all HTTP packets in a big dumped trace
larger than 100GB ( http-rewriter.bro actually deletes all HTTP message-body
and add one new header field named X-Actual-Data-Length, right?) .
I am not sure if Bro itself and http-rewriter.bro has the ability of
reordering all tcp packets and deleting tcp retransmitted packets in every
connection of the dumped trace?
If they cannot do that, whether I can reorder all packets and delete the
retransmitted packets in every connection first by using some tools and then
use http-rewriter.bro ? Is this way reasonable? What's your suggestion
about the tools I can use?
Besides, I want to test if special HTTP packets exist. Special packet here
means there are more than one HTTP construct(headers + message body) in one
packet. When using http-rewriter.bro on several special pakcets I created,
it seems that it can delete the message-body correctly for almost all of
cases as long as the packets in the connection are in order and complete.
Can http-rewriter.bro handle the special cases correctly as what I found?
Expect your answer and thank you very much.
Song Zhao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110516/1b62da4b/attachment.html
More information about the Bro
mailing list