Greetings.
I have a couple of questions about BRO’s tcp stream reassembly. Please reply if you have answers.
When does bro allocate memory for doing reassembly (putting the different blocks of data together) ?
Does it append to this same buffer when subsequent stream data comes ?
What is the size of the reassembly buffer ? Does that grow ? till what size does it grow ?
Any information or pointers is appreciated.
Thanks a lot
Thomas
Hi Thomas,
I'd like to first clarify that the TCP reassembler does not have to putting different blocks in a single buffer. Instead, its job is to deliver the bytes in order, no matter how many bytes it delivers at a time. On top of that, some ASCII protocol analyzers (such as HTTP) employ a line reassembler, while binary protocol analyzers (such as RPC) have their own frame reassembler. Therefore, the TCP reassembler uses a linked list, instead of a single buffer, for TCP reassembly.
When does bro allocate memory for doing reassembly (putting the different blocks of data together) ?
In theory, the TCP reassembler only needs to copy segments that arrive out of order. In practice, though, Bro makes a copy of every segment, and deallocate the copy once it is delivered.
What is the size of the reassembly buffer ? Does that grow ? till what size does it grow ?
That's a great question. I'm not aware of any cap on the total size of reassembly buffers.
I hope that I answered your questions.
Ruoming