[Bro] http-body and binary content
Reed Porada
rporada at ll.mit.edu
Thu Oct 11 12:47:07 PDT 2007
I want to reassemble the http-content for various streams. Right now
I have been able to generically reassembled all of the content, but
with mixed results. The plaintext content seems to be reassembling
fine, however, binary content has had mixed results. I have
successfully reassembled several gifs (minus a newline), but others I
have not. Looking at the hexdump of the content output, it seems
like some gifs are being outputed in ASCII Hex, and others real
binary. I then looked at the packet captures, and ethereal is
showing the binary of the gifs. The subtle difference that I have
noticed is that the successful gifs do not have any "X-..." optional
headers in them, whereas those that are failing have had "X-Cache"
and "X-Pad" for example.
Any thoughts on why Bro changes its output based on the optional
headers? Or why it could be sometimes outputting binary and others
ASCII Hex?
Thanks,
-Reed
More information about the Bro
mailing list