[Bro] handle out of order and retransmitted packets in offline trace
Song Zhao
sxz135 at case.edu
Mon May 16 13:51:28 PDT 2011
Hi,
Thanks for your explanation.But I am still a little confused. Can
http-rewriter.bro rewriter all HTTP packets in a TCP connection where out of
order and retransmitted packets exist?
Song Zhao
On Mon, May 16, 2011 at 4:24 PM, Ruoming Pang <rpang at cs.princeton.edu>wrote:
> Hi,
>
> I forgot about the details, but here is the basic idea. The rewritten
> packets will not reproduce the original TCP segment ordering and
> retransmission, however, the timestamps will be preserved by creating one
> output packet that correspond to every input packet timestamp. So if you
> remove a big chunk of body, you will see a bunch of empty packets (which
> compress quite well).
>
> Ruoming
>
> On Mon, May 16, 2011 at 12:05 AM, Song Zhao <sxz135 at case.edu> wrote:
>
>> Hello, All
>>
>> I am trying to use the policy script http-rewriter.bro in Bro-1.5.1 to
>> anonymize the HTTP message-body of all HTTP packets in a big dumped trace
>> larger than 100GB ( http-rewriter.bro actually deletes all HTTP message-body
>> and add one new header field named X-Actual-Data-Length, right?) .
>>
>> I am not sure if Bro itself and http-rewriter.bro has the ability of
>> reordering all tcp packets and deleting tcp retransmitted packets in every
>> connection of the dumped trace?
>>
>> If they cannot do that, whether I can reorder all packets and delete the
>> retransmitted packets in every connection first by using some tools and then
>> use http-rewriter.bro ? Is this way reasonable? What's your suggestion
>> about the tools I can use?
>>
>> Besides, I want to test if special HTTP packets exist. Special packet here
>> means there are more than one HTTP construct(headers + message body) in one
>> packet. When using http-rewriter.bro on several special pakcets I created,
>> it seems that it can delete the message-body correctly for almost all of
>> cases as long as the packets in the connection are in order and complete.
>> Can http-rewriter.bro handle the special cases correctly as what I found?
>>
>> Expect your answer and thank you very much.
>>
>> Song Zhao
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110516/43db9ced/attachment.html
More information about the Bro
mailing list