[Bro] different file hash between downloaded file by ANALYZER_EXTRACT with original file
email4myth at gmail.com
Fri Aug 11 00:00:50 PDT 2017
i had tests with pcaps, and there is no problem with that.
but when i listen on interface directly, weird problem happened,
and it happened most times .
I opened a issue at
and i upload three files to that issue:
1. test4faf.bro - this is the bro script i use for test
2. test4faf.tar.gz - this is the file i use http to download, this is
generated with command `dd if=/dev/urandom of=test4faf.dat bs=1024
count=128 && tar -cvzf test4faf.tar.gz test4faf.dat && rm -f test4faf.dat`
3. test4faf.pcap - this is generated with tcpdump. if i test with this
pcap, no problem happened, everything is all right.
everyone who has interesting with this problem could do some test with that
bro script, but remember to sniffing traffic directly from interface.
2017-08-10 10:51 GMT+08:00 Seth Hall <seth at corelight.com>:
> On Mon, Aug 7, 2017 at 3:29 AM, Myth Ren <email4myth at gmail.com> wrote:
> > - bro extract file size is one byte bigger than my original file
> > - or bro extract file the right size with my original file, but it's
> > different MD5 value among these files
> Ugh, that's not a good behavior.
> > below is my test env, test steps and test result:
> Could you capture traffic and replay that with Bro instead of sniffing
> the interface directly? If you did that you could at least verify
> that the problem is deterministically replicable and then we could
> possibly look into the problem with you. I have several thoughts
> about what the problem could be but they're ultimately fairly long
> shots and could likely be wrong.
> Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro