[Bro] handle out of order and retransmitted packets in offline trace
Vern Paxson
vern at icir.org
Fri May 27 13:43:51 PDT 2011
> I also tried ./bro -r readfile -A writerfile http-rewriter.bro, whose
> results seem to be the same as those of ./bro -r readfile http-rewriter.bro
> -A writefile. And is there any difference of the resulting trace between
> using -A and - w for http-rewriter.bro?
If you specify both, then you get the untransformed trace in the -w file
and the transformed one in -A. If you specify just one, then that's the
transformed file.
> Does http-rewriter.bro by default use DPD to find http streams intead of
> port numbers?
I don't know. But you can avoid this question by just wiring in the
ports of interest into the initialization of capture_filters in http-reply.bro.
> Interestingly, majority of
> them are port 20480.
Note, 20480 = 80 but little endian. This suggests either a bug in how
you're viewing the port numbers, or in how Bro is displaying (or possibly
processing them).
Vern
More information about the Bro
mailing list