[Bro] Trying to extract HTTP payload

Seth Hall seth at icir.org
Tue Sep 18 10:53:53 PDT 2012

On Sep 18, 2012, at 1:43 PM, Doug Burks <doug.burks at gmail.com> wrote:

> The blank fields in http.log could be the result of checksum offloading:
> http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
> Doug

Hah!  Good catch Doug.  Ironically, the file extraction as he's doing it will still work fine.

Abhishek, you can have Bro ignore checksums with the -C command line argument, but you definitely do not want to run Bro in production with that argument because it opens the door to easy evasions.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list