[Bro] handle out of order and retransmitted packets in offline trace

Song Zhao sxz135 at case.edu
Fri May 27 11:45:41 PDT 2011


Hi ,Ruoming

1.
I also tried ./bro -r readfile -A writerfile http-rewriter.bro, whose
results seem to be the same as those of ./bro -r readfile http-rewriter.bro
-A writefile. And is there any difference of the resulting trace between
using -A and - w for http-rewriter.bro? I tried some examples and their
results seem the same.

2.
Does http-rewriter.bro by default use DPD to find http streams intead of
port numbers?
After rewriting a big trace which insists of all kind of streams(TCP and
UDP) using http-rewriter.bro, the ports of the resulting trace range widely,
including 80,8000,8080,631,1080 and so forth. Interestingly, majority of
them are port 20480. Is it because of use of DPD?

Thanks.

Song Zhao
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110527/0307fe25/attachment.html 


More information about the Bro mailing list