[Bro] HTTP Object length calculation

Ioannis WiCom iduckhd at hotmail.com
Tue Sep 13 08:57:57 PDT 2011


I am trying to use Bro 1.5..1 to calculate the HTTP object length from a test packet trace. I have observed that in several HTTP transactions the calculated object length (stat$body_length) is higher than the "Content-Length" (msg$content_length) r

For example:

GET /tools/services?XXX (200 "OK" ["1945      ", 11182])

I have isolated an example TCP connection, and measured the bytes using wireshark. The real object length is equal to the "Content-Length", but the reported by bro is much higher. Therefore, I cannot understand what the value stat$body_length represents. 

Any help would be highly appreciated.

Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110913/f27bbc2f/attachment.html 

More information about the Bro mailing list