[Bro] Bro Not Extracting Host Fields from HTTP Traffic

Arash Fallah af7 at umbc.edu
Tue Jul 12 09:26:25 PDT 2016

Thanks Justin, that was the problem.

I have two follow-up questions. Can a NIC card handle calculating checksums
for all packets instead of offloading to the CPU or would disabling
offloading result in dropped packets? Is it preferable to have Bro ignore
the checksums instead?

I understand this is a general question but I'm having trouble benchmarking
a 10Gb/s capture card.

On Tue, Jul 12, 2016 at 11:24 AM, Azoff, Justin S <jazoff at illinois.edu>

> It looks like it is missing the entire request.  It's not missing the host
> field, it's missing every single field from the client request.
> method,host,uri,referrer,user_agent,request_body_len are all missing.
> Are you running bro on the machine making the outbound connections?  I'm
> guessing that is your desktop machine.
> If you look inside your reporter.log, is there a warning about tcp
> checksums?
> --
> - Justin Azoff
> > On Jul 12, 2016, at 11:16 AM, Arash Fallah <af7 at umbc.edu> wrote:
> >
> > I'm having an issue where Bro is not extracting the host field correctly
> from captured HTTP traffic (in the form of a PCAP). I've verified it has
> nothing to do with split-routing. I also manually examined the PCAP file
> using Wireshark and found the host field to be present in all instances. I
> am a bit puzzled. This is significant for our use case because we will be
> using Bro to monitor for malicious URLs and the like.
> >
> > I have my http.log, weird.log, and the PCAP file itself. Unfortunately,
> I cannot attach the PCAP due to its size and the mail list rejecting the
> message. Please reply and I will send the PCAP individually.
> >
> > Any advice is appreciated.
> > <http.log><weird.log>_______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160712/99760d96/attachment.html 

More information about the Bro mailing list