[Bro] http incomplete file extraction (Files::ANALYZER_EXTRACT)
franky.meier.1 at gmx.de
Wed Apr 1 02:01:44 PDT 2015
On Mo, Mär 30, 2015 at 6:54 , Siwek, Jon <jsiwek at illinois.edu> wrote:
> In files.log, the value of total_bytes is just taken from the HTTP
> Content-Length header. Since the value of seen_bytes is less than
> total_bytes, you can suspect Bro didn’t see the full file for some
> reason. Do you have a weird.log containing any obvious clues? Else,
> I may need the original pcap to understand what went wrong.
The weird.log states some "above_hole_data_without_any_acks", but why
does it work with tcpflow?
Here is what I did:
1) I downloaded the test file: wget
2) Gathered the pcap: tcpdump -s0 -i eth0 -w download.pcap port http
3) checked if the file was completely captured with tcpflow:
tcpflow -FT -e http -r download.pcap
md5sums do match:
~/bro-liste$ md5sum 5MB.zip
4) run bro (revision 32ae94de9ae36060651240a0ee11838e3e572223) with
~/bro-liste$ cat extract.bro
event file_new(f: fa_file)
~/bro-liste$ /usr/local/bro/bin/bro -r download.pcap extract.bro
1427874309.892545 warning in
54: Your trace file likely has invalid TCP checksums, most likely from
NIC checksum offloading.
5) Logs from bro and the pcap: (14mb)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro