[Oisf-users] UDP reassambly behaviour
Seth Hall
seth at icir.org
Wed Jun 20 16:16:26 UTC 2012
On Jun 20, 2012, at 12:10 PM, Victor Julien wrote:
> So does Bro do any effort to figure out the correct order of the UDP
> datagrams before doing the "reassembly"? I guess with higher level
> protocol knowledge you could do it.
Nope. You're right though, that's left to the particular analyzer that might be handling the connection. Our analyzer API has stream and packet interfaces so depending on the needs of any particular protocol you can get the traffic as a stream or per-packet.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Oisf-users
mailing list