[Bro] Load Balancers

Vern Paxson vern at icir.org
Sat Feb 6 12:52:19 PST 2010

> Am I correct in assuming that the lack of initial connection
> establishment is why the HTTP analysis is never occurring (and
> therefore I'm not getting entries in http.log)?

Yes.  The appended patch should cause the analyzer to function anyway.

> Thanks for the response.  I do actually see a "Connection:
> Keep-Alive\r\n" in the GET packet.  From this, can I assume that a
> persistent connection is being held, thus the confusion by bro?

That's doubtless what's happening.  (FYI, seeing that from the client side
it's just a request, than necessarily imposed on the connection.  However,
in the setup you describe, surely the server is accepting this, and hence
the seemingly missing SYNs for later requests.)


Index: src/HTTP.cc
--- src/HTTP.cc	(revision 6971)
+++ src/HTTP.cc	(working copy)
@@ -753,7 +753,7 @@
 	content_line_resp = new ContentLine_Analyzer(conn, false);
-	content_line_resp->SetSkipPartial(true);
+	// content_line_resp->SetSkipPartial(true);
@@ -794,8 +794,8 @@
 	TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
-	if ( TCP() && TCP()->IsPartial() )
-		return;
+	// if ( TCP() && TCP()->IsPartial() )
+	//	return;
 	const char* line = reinterpret_cast<const char*>(data);
 	const char* end_of_line = line + len;

More information about the Bro mailing list