[Bro] handle out of order and retransmitted packets in offline trace

Ruoming Pang rpang at cs.princeton.edu
Mon May 16 13:54:34 PDT 2011


http-rewriter.bro sits above TCP layer and does not see TCP retransmission
or out of order packets.

On Mon, May 16, 2011 at 4:51 PM, Song Zhao <sxz135 at case.edu> wrote:

> Hi,
>
>  Thanks for your explanation.But I am still a little confused. Can
> http-rewriter.bro rewriter all HTTP packets in a TCP connection where out of
> order and retransmitted packets exist?
>
> Song Zhao
>
>
> On Mon, May 16, 2011 at 4:24 PM, Ruoming Pang <rpang at cs.princeton.edu>wrote:
>
>> Hi,
>>
>> I forgot about the details, but here is the basic idea. The rewritten
>> packets will not reproduce the original TCP segment ordering and
>> retransmission, however, the timestamps will be preserved by creating one
>> output packet that correspond to every input packet timestamp. So if you
>> remove a big chunk of body, you will see a bunch of empty packets (which
>> compress quite well).
>>
>> Ruoming
>>
>> On Mon, May 16, 2011 at 12:05 AM, Song Zhao <sxz135 at case.edu> wrote:
>>
>>> Hello, All
>>>
>>> I am trying to use the policy script http-rewriter.bro in Bro-1.5.1 to
>>> anonymize the HTTP message-body of all HTTP packets in a big dumped trace
>>> larger than 100GB ( http-rewriter.bro actually deletes all HTTP message-body
>>> and add one new header field named X-Actual-Data-Length, right?) .
>>>
>>> I am not sure if  Bro itself and http-rewriter.bro  has the ability of
>>> reordering all  tcp packets and deleting tcp retransmitted packets in every
>>> connection of the dumped trace?
>>>
>>> If they cannot do that, whether I can reorder all packets and delete the
>>> retransmitted packets in every connection first by using some tools and then
>>> use http-rewriter.bro ?  Is this way reasonable? What's your suggestion
>>> about the tools I can use?
>>>
>>> Besides, I want to test if special HTTP packets exist. Special packet
>>> here means there are more than one HTTP construct(headers + message body) in
>>> one packet. When using http-rewriter.bro on several special pakcets I
>>> created, it seems that it can delete the message-body correctly for almost
>>> all of cases as long as the packets in the connection are in order and
>>> complete. Can http-rewriter.bro handle the special cases correctly as what I
>>> found?
>>>
>>> Expect your answer and thank you very much.
>>>
>>> Song Zhao
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110516/2ca025d8/attachment.html 


More information about the Bro mailing list