[Bro] http incomplete file extraction (Files::ANALYZER_EXTRACT)

Seth Hall seth at icir.org
Fri Mar 27 11:41:47 PDT 2015

> On Mar 27, 2015, at 9:35 AM, Frank Meier <franky.meier.1 at gmx.de> wrote:
> event file_new(f: fa_file)
> {
>                Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
> }

Nope, that should work.

> Are there any other events I have to catch to get the complete file? 
> When I download a test file from [1] with size 3521964 bytes, only 960204 bytes are extracted. I checked with 
> wireshark and tcpflow, that the download was completely captured in the pcap,

Could you show me the files.log entry and the associated conn.log entry?


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list