[Bro] HTTP Object length calculation
seth at icir.org
Tue Sep 13 10:05:44 PDT 2011
On Sep 13, 2011, at 11:57 AM, Ioannis WiCom wrote:
> I have isolated an example TCP connection, and measured the bytes using wireshark. The real object length is equal to the "Content-Length", but the reported by bro is much higher. Therefore, I cannot understand what the value stat$body_length represents.
stat$body_length *should* be the actual counted number of bytes that were in the body. If you see a disparity between the two numbers, the web server could be reporting an incorrect length for the data it's sending. Could you send the trace file privately?
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro