[Bro] handle out of order and retransmitted packets in offline trace

Song Zhao sxz135 at case.edu
Tue May 17 17:24:50 PDT 2011


Is that function of reassembling TCP bytestream embedded in event engine and
enabled by default when using http-rewriter.bro, or there is a policy
script  we need to call to sort out the tcp packets? Thanks.

On Mon, May 16, 2011 at 7:25 PM, Vern Paxson <vern at icir.org> wrote:

> > Can Bro itself differentiate these retransmitted and out of order
> packets?
>
> It's not clear what you mean by differentiate.  Bro reassembles the
> TCP bytestream, correctly acounting for retransmitted and out-of-order
> packets.
>
> > Besides, can http-rewriter.bro handle the special HTTP packet which, for
> > example, includes 2 or more requests or response or even one and half
> > requests or responses?
>
> Per Ruoming's earlier comment, http-rewriter.bro does *not* operate on
> individual packets, it operates on the reassembled bytestream.  It then
> constructs new packets from that bytestream.  The timing of these packets
> reflects the timing of the original packets, but the *sequencing* of the
> packets does not.
>
>                Vern
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110517/711d6ace/attachment.html 


More information about the Bro mailing list