[Bro] HTTP Object length calculation

Seth Hall seth at icir.org
Tue Sep 13 10:05:44 PDT 2011

On Sep 13, 2011, at 11:57 AM, Ioannis WiCom wrote:

> I have isolated an example TCP connection, and measured the bytes using wireshark. The real object length is equal to the "Content-Length", but the reported by bro is much higher. Therefore, I cannot understand what the value stat$body_length represents. 

stat$body_length *should* be the actual counted number of bytes that were in the body.  If you see a disparity between the two numbers, the web server could be reporting an incorrect length for the data it's sending.  Could you send the trace file privately?


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list