trace and scripts Re: [Bro] http_request event

Ruoming Pang rpang at
Sun Jun 19 19:24:09 PDT 2005

Hi, Bing,

Could you capture a piece of trace using 'tcpdump -w' (using '-s 5000' 
to make sure complete packets are capture) and run bro over the trace 
(with -r)? And if it doesn't work, please send us the trace and policy 
scripts you modified. It will help us understand what the problem is. 


On Jun 19, 2005, at 10:05 PM, bchen at wrote:

> Hi Vern,
>   Thank you for your reply. I have actually loaded all http-related 
> .bro files,
> including http, http-request, http-reply, http-body, etc. I load them 
> in mt.bro
> and run Bro: ./bro -i eth0 mt. I then access a web server from the 
> same machine
> where Bro is running. http-request and http-reply event handlers have 
> never been
> called. Please be noted that I am doing these experiments in a close
> environment, a small LAN, which is connected together with a hub and
> disconnected from Internet. There are no DNS servers and Gateway here. 
> The
> Communicatin is basically point-to-point. Is this environment 
> affecting the
> functionality of the http analyzer?
> thanks
> Bing
> Quoting Vern Paxson <vern at>:
>> What exactly are you doing in your script?  Note that "@load http" 
>> won't
>> do it - you need "@load http-request" or "@load http-reply" to get
>> request/replies, respectively.
>> 		Vern
> _______________________________________________
> Bro mailing list
> bro at
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list