[Bro] http incomplete file extraction (Files::ANALYZER_EXTRACT)
franky.meier.1 at gmx.de
Fri Mar 27 06:35:29 PDT 2015
I am relatively new to bro so please excuse me, if I missed the obvious solution.
I want to extract files downloaded via http from a pcap-file, but the files I download are never extracted completely.
They seem to be truncated at ~1 mb. My bro-script is quite simple:
event file_new(f: fa_file)
Are there any other events I have to catch to get the complete file?
When I download a test file from  with size 3521964 bytes, only 960204 bytes are extracted. I checked with
wireshark and tcpflow, that the download was completely captured in the pcap,
I tested with Bro 2.3.2 and the current dev version from git.
have a nice weekend!
More information about the Bro