[Bro] Bro trace files - packets truncated in some circumstances?

Vern Paxson vern at icir.org
Sat Oct 28 10:55:42 PDT 2006


> So it looks like if passed a smaller len than the original capture
> length, the output packet will be smaller than the original received
> packet.  Does anyone know why this is being done?  It would be nice if
> the entire packet was recorded....

It's actually going out of its way to do this (in TCP.cc):

	// By default, if it's a TCP port 80 FIN packet, don't
	// record its contents.  Eliminating these (unless we're
	// doing HTTP analysis) cuts the save file size by about
	// a factor of two, since often HTTP FIN packets have most
	// of the server reply in them.
	if ( flags.FIN() && dst_port == 80 )
		Conn()->SetRecordContents(0);

This is quite old code and (thanks to your flagging it) will be removed
in the next release.

		Vern



More information about the Bro mailing list