<div dir="ltr"><div>All,</div><div><br></div><div>When running Bro, I see a lot of midstream sessions due to long lived TCP connections that have connected before starting Bro.  The Bro conn state is correct &quot;OTH&quot; but I would like to inspect the streams that are in progress.  Is there a recommended way to process midstream TCP with Bro?</div><div><br></div><div><br></div><div>For a test I modified HTTP_Analyzer::DeliverStream to allow midsteam inspection.</div><div><br></div><div> <span class="gmail-Apple-tab-span" style="white-space:pre">        </span>if ( TCP() &amp;&amp; TCP()-&gt;IsPartial() )</div><div>-<span class="gmail-Apple-tab-span" style="white-space:pre">                </span>return;</div><div>-</div><div>+<span class="gmail-Apple-tab-span" style="white-space:pre">                </span>{</div><div>+<span class="gmail-Apple-tab-span" style="white-space:pre">                        </span>if ( allow_midstream_pickup )</div><div>+<span class="gmail-Apple-tab-span" style="white-space:pre">                                </span>{</div><div>+<span class="gmail-Apple-tab-span" style="white-space:pre">                                        </span>Weird(&quot;Processing in midstream_client_HTTP_data&quot;);</div><div>+<span class="gmail-Apple-tab-span" style="white-space:pre">                                </span>}</div><div>+<span class="gmail-Apple-tab-span" style="white-space:pre">                        </span>else</div><div>+<span class="gmail-Apple-tab-span" style="white-space:pre">                                </span>{</div><div>+<span class="gmail-Apple-tab-span" style="white-space:pre">                                        </span>return;</div><div>+<span class="gmail-Apple-tab-span" style="white-space:pre">                                </span>}</div><div>+<span class="gmail-Apple-tab-span" style="white-space:pre">                </span>}</div><div><br></div><div>Is there any issues with a change similar to this for HTTP?  I would expect that not all HTTP logs would be properly filled out for a connection that was already established and possible some weird log entries about the http headers. The changes does allow the logging of HTTP transactions on existing TCP connection with no issues so far doing testing.  I just want to make sure that a better way to deal with existing connections or reasons why Bro should not look at HTTP in midstream.</div><div><br></div><div>Thanks,</div><div>Stephen</div></div>