[Bro] http-body and binary content

Reed Porada rporada at ll.mit.edu
Thu Oct 11 12:47:07 PDT 2007

I want to reassemble the http-content for various streams.  Right now  
I have been able to generically reassembled all of the content, but  
with mixed results.  The plaintext content seems to be reassembling  
fine, however, binary content has had mixed results.  I have  
successfully reassembled several gifs (minus a newline), but others I  
have not.  Looking at the hexdump of the content output, it seems  
like some gifs are being outputed in ASCII Hex, and others real  
binary.  I then looked at the packet captures, and ethereal is  
showing the binary of the gifs.  The subtle difference that I have  
noticed is that the successful gifs do not have any "X-..." optional  
headers in them, whereas those that are failing have had "X-Cache"  
and "X-Pad" for example.

Any thoughts on why Bro changes its output based on the optional  
headers?  Or why it could be sometimes outputting binary and others  


More information about the Bro mailing list