[Bro] handle out of order and retransmitted packets in offline trace

Song Zhao sxz135 at case.edu
Mon May 16 14:04:29 PDT 2011 

Can Bro itself differentiate these retransmitted and out of order packets?
If yes, does http-rewriter.bro use such a Bro's method?

Besides, can http-rewriter.bro handle the special HTTP packet which, for
example, includes 2 or more requests or response or even one and half
requests or responses?

On Mon, May 16, 2011 at 4:54 PM, Ruoming Pang <rpang at cs.princeton.edu>wrote:

> http-rewriter.bro sits above TCP layer and does not see TCP retransmission
> or out of order packets.
>
>
> On Mon, May 16, 2011 at 4:51 PM, Song Zhao <sxz135 at case.edu> wrote:
>
>> Hi,
>>
>>  Thanks for your explanation.But I am still a little confused. Can
>> http-rewriter.bro rewriter all HTTP packets in a TCP connection where out of
>> order and retransmitted packets exist?
>>
>> Song Zhao
>>
>>
>> On Mon, May 16, 2011 at 4:24 PM, Ruoming Pang <rpang at cs.princeton.edu>wrote:
>>
>>> Hi,
>>>
>>> I forgot about the details, but here is the basic idea. The rewritten
>>> packets will not reproduce the original TCP segment ordering and
>>> retransmission, however, the timestamps will be preserved by creating one
>>> output packet that correspond to every input packet timestamp. So if you
>>> remove a big chunk of body, you will see a bunch of empty packets (which
>>> compress quite well).
>>>
>>> Ruoming
>>>
>>> On Mon, May 16, 2011 at 12:05 AM, Song Zhao <sxz135 at case.edu> wrote:
>>>
>>>> Hello, All
>>>>
>>>> I am trying to use the policy script http-rewriter.bro in Bro-1.5.1 to
>>>> anonymize the HTTP message-body of all HTTP packets in a big dumped trace
>>>> larger than 100GB ( http-rewriter.bro actually deletes all HTTP message-body
>>>> and add one new header field named X-Actual-Data-Length, right?) .
>>>>
>>>> I am not sure if  Bro itself and http-rewriter.bro  has the ability of
>>>> reordering all  tcp packets and deleting tcp retransmitted packets in every
>>>> connection of the dumped trace?
>>>>
>>>> If they cannot do that, whether I can reorder all packets and delete the
>>>> retransmitted packets in every connection first by using some tools and then
>>>> use http-rewriter.bro ?  Is this way reasonable? What's your suggestion
>>>> about the tools I can use?
>>>>
>>>> Besides, I want to test if special HTTP packets exist. Special packet
>>>> here means there are more than one HTTP construct(headers + message body) in
>>>> one packet. When using http-rewriter.bro on several special pakcets I
>>>> created, it seems that it can delete the message-body correctly for almost
>>>> all of cases as long as the packets in the connection are in order and
>>>> complete. Can http-rewriter.bro handle the special cases correctly as what I
>>>> found?
>>>>
>>>> Expect your answer and thank you very much.
>>>>
>>>> Song Zhao
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110516/05371788/attachment.html

More information about the Bro mailing list