[Bro] handle out of order and retransmitted packets in offline trace
Ruoming Pang
rpang at cs.princeton.edu
Mon May 16 13:24:54 PDT 2011
Hi,
I forgot about the details, but here is the basic idea. The rewritten
packets will not reproduce the original TCP segment ordering and
retransmission, however, the timestamps will be preserved by creating one
output packet that correspond to every input packet timestamp. So if you
remove a big chunk of body, you will see a bunch of empty packets (which
compress quite well).
Ruoming
On Mon, May 16, 2011 at 12:05 AM, Song Zhao <sxz135 at case.edu> wrote:
> Hello, All
>
> I am trying to use the policy script http-rewriter.bro in Bro-1.5.1 to
> anonymize the HTTP message-body of all HTTP packets in a big dumped trace
> larger than 100GB ( http-rewriter.bro actually deletes all HTTP message-body
> and add one new header field named X-Actual-Data-Length, right?) .
>
> I am not sure if Bro itself and http-rewriter.bro has the ability of
> reordering all tcp packets and deleting tcp retransmitted packets in every
> connection of the dumped trace?
>
> If they cannot do that, whether I can reorder all packets and delete the
> retransmitted packets in every connection first by using some tools and then
> use http-rewriter.bro ? Is this way reasonable? What's your suggestion
> about the tools I can use?
>
> Besides, I want to test if special HTTP packets exist. Special packet here
> means there are more than one HTTP construct(headers + message body) in one
> packet. When using http-rewriter.bro on several special pakcets I created,
> it seems that it can delete the message-body correctly for almost all of
> cases as long as the packets in the connection are in order and complete.
> Can http-rewriter.bro handle the special cases correctly as what I found?
>
> Expect your answer and thank you very much.
>
> Song Zhao
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110516/3de493ce/attachment.html
More information about the Bro
mailing list