[Bro] handle out of order and retransmitted packets in offline trace
Song Zhao
sxz135 at case.edu
Fri May 27 08:22:48 PDT 2011
> 1. Is the command to use http-rewriter.bro on captured offline trace is as
> follows?
> ./bro -r 'the name of tracefile we want to deal with'
http-rewriter.bro
> - w 'the name of tracefile where we want to write the resulting packets
>>It's -A, not -w.
Will there be any difference between -A and -w for the use of
http-rewriter.bro? I just used -A to rewrite some examples and it seems
that the resulting files are the same as those one using - w.
> According to codes of http.bro, global http_ports are
> 80,81,631,1080,3138,8000,8080 and 8888.
Note, that list is used only if you turn on DPD.
> Besides,
> there are still a small portion with port numbers diffrent from all above.
> So I am confused with the filteration of http-rewriter.bro.
Then in principle you should use DPD. However, I don't know whether
it's integrated with the rewriting framework.
The command I used is only " ./bro -r readfile http-rewriter.bro -w
writerfile. I don't know if DPD is turned on. Actually, http.bro is loaded
by http-request.bro, which is also loaded by http-reply.bro. In http.bro, I
think there are codes about DPD as follows:
# DPM configuration.
global http_ports = {
80/tcp, 81/tcp, 631/tcp, 1080/tcp, 3138/tcp,
8000/tcp, 8080/tcp, 8888/tcp,
};
redef dpd_config += { [ANALYZER_HTTP] = [$ports = http_ports] };
redef dpd_config += { [ANALYZER_HTTP_BINPAC] = [$ports = http_ports] };
Dose it mean DPD has been integrated within the rewriting framework? And
whether it is reason why the majority of rewritten trace I got is from port
20480 and also from some ports other than 80,8000,8080?
Thanks a lot.
Song
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110527/d2c44716/attachment.html
More information about the Bro
mailing list