[Bro] http incomplete file extraction (Files::ANALYZER_EXTRACT)
seth at icir.org
Fri Mar 27 11:41:47 PDT 2015
> On Mar 27, 2015, at 9:35 AM, Frank Meier <franky.meier.1 at gmx.de> wrote:
> event file_new(f: fa_file)
> Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
Nope, that should work.
> Are there any other events I have to catch to get the complete file?
> When I download a test file from  with size 3521964 bytes, only 960204 bytes are extracted. I checked with
> wireshark and tcpflow, that the download was completely captured in the pcap,
Could you show me the files.log entry and the associated conn.log entry?
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro