tcp contents

In short, this is what I'm trying to do: I want to selectively save
the payload/contents of a TCP stream to a file just based on the
protocol/port number.

If you want to do this offline processing a trace, then it's very
easy - just "bro -f 'tcp port 80 or tcp port 25' -r trace contents",
for example.

If you want todo it online while also doing other work, then a
natural way would be something like:

  global interesting_services = { smtp, http, };

  event connection_established(c: connection)
    {
    if ( c$id$resp_p in interesting_services )
      demux_conn(c$id, "interesting", "orig", "resp");
    }

(with the caveat that I haven't tested this)

    Vern

If you want todo it online while also doing other work, then a
natural way would be something like:

global interesting_services = { smtp, http, };

event connection_established(c: connection)
  {
  if ( c$id$resp_p in interesting_services )
    demux_conn(c$id, "interesting", "orig", "resp");
  }

(with the caveat that I haven't tested this)

Thanks for the tip.

Good news: I went ahead and tested it and it worked fine when saving the
contents to 2 separate files.
Bad news: Although it took just a simple modification to a copy of
"demunx_conn()", I couldn't get it to work when writing to 1 file by using
the CONTENTS_BOTH flag.

Assuming the above observations are true, then unless someone can state why
CONTENTS_BOTH has problems I will go ahead and continue investigating
tomorrow.

More details on the "bad news":

- at a minimum the data is not ordered properly. this is readily apparent
when examining the POP3 protocol when there isn't any mail to deliver.
perhaps it is as simple as the data being cached and then flushed? (I'm now
suspicious of this, and will look at it tomorrow. sorry for the premature
post.)

- for HTTP it also appeared the data was not properly ordered. i can't say
for certain but it appeared that the first "get" was frequently missing
while the response was properly added.

- two workarounds for the above were to either
the empty "events" for those analyzers (correct term?)
  b: instantiating the TCP_TransactionContents class for HTTP, SMTP,
and POP3. The simple class seems to flush the data properly.

Perhaps I'm swimming upstream by trying to use the single file approach, but
it really does seem doable.

Thanks for the help.

John