Is it possible to reassemble TCP and UDP streams while Bro inspects a captured tracefile from a different machine? I have several pcap files that contain approx 6 hrs worth of traffic. I would like to have Bro analyze the data, but I also need the streams (both tcp and udp) reassembled and stored on the hard drive for use with custom python scripts. I've noticed that the contents.bro script will reassemble TCP streams, but it doesn't appear to assemble UDP as well.
Any help with this would be greatly appreciated. I have read through the quick start, wiki, and list archives with no luck. I am new to Bro so sorry if this is a basic question.
Is it possible to reassemble TCP and UDP streams while Bro inspects a
What do you mean by reassembling a UDP stream? These don't have a particular
reassembly ordering associated with them. If you just want to extract the
contents of a given UDP flow, you can do so using tcpdump directly.
Is it possible to reassemble TCP and UDP streams while Bro inspects a
What do you mean by reassembling a UDP stream? These don't have a particular
reassembly ordering associated with them. If you just want to extract the
contents of a given UDP flow, you can do so using tcpdump directly.
Thanks for the quick response. I realize that UDP doesn't have sequence numbers, etc, but I was hoping that Bro would be able to assemble the flow into something that could be externally processed. As a crude example (I realize that Bro has DNS analyzers), but I wanted a file that contained the raw dns request and raw dns reply. I work with malware a lot and I have scripts that look for custom protocols.
I realize that UDP doesn't have
sequence numbers, etc, but I was hoping that Bro would be able to
assemble the flow into something that could be externally processed.
Yeah, I see your point, but no, it doesn't have that in it. It wouldn't
be hard to add in simplistic terms (i.e., append the payload of every new
datagram in a flow to the end of the content file). Doing it in a semantic-
aware fashion would of course be considerably trickier.