[Bro] http-<x> and empty http.log

Reed Porada rporada at ll.mit.edu
Thu Sep 27 11:20:12 PDT 2007


On Sep 27, 2007, at 12:46 PM, Robin Sommer wrote:

>
> On Thu, Sep 27, 2007 at 10:50 -0400, Reed Porada wrote:
>
>> In trying to get the contents of http sessions, I have run http-
>> body.bro against a pcap, and there is not output to http.log.  This
>> is the same with most http-<x> scripts, except http-reply.
>
> The HTTP scripts are a bit different from other analyzers in the
> sense that they are "incremental", i.e., you typically need to load
> more than one depending on which parts of the HTTP sessions you want
> to analyze.
>
> The minimum is http-request.bro which analyzes client-side requests.
> You can add http-reply.bro to also see the response code of the
> servers. Then you can further add, e.g., http-body.bro, to get the
> session payload and/or http-header.bro to see all HTTP headers.
>
> So, in your case, this should do the trick:
>
>     bro -r trace http-request http-reply http-body
>
> Robin
>
> -- 
> Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
> LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org
>

That worked.  Thanks.

-Reed



More information about the Bro mailing list