[Bro] Bro trace files - packets truncated in some circumstances?
vern at icir.org
Sat Oct 28 10:55:42 PDT 2006
> So it looks like if passed a smaller len than the original capture
> length, the output packet will be smaller than the original received
> packet. Does anyone know why this is being done? It would be nice if
> the entire packet was recorded....
It's actually going out of its way to do this (in TCP.cc):
// By default, if it's a TCP port 80 FIN packet, don't
// record its contents. Eliminating these (unless we're
// doing HTTP analysis) cuts the save file size by about
// a factor of two, since often HTTP FIN packets have most
// of the server reply in them.
if ( flags.FIN() && dst_port == 80 )
This is quite old code and (thanks to your flagging it) will be removed
in the next release.
More information about the Bro