[Bro] Different behavior between online and offline for http keepalive reqeusts

duhang darkheaven1983 at gmail.com
Fri Mar 17 23:18:20 PDT 2017


I'm trying to capture the http request between client and a http proxy
which is using keepalive to send multiple requests within one connection. I
tried to start a pf_ring cluster and a standalone bro worker using broctl,
and also start bro from command line, I saved the pcap file in the
meantime. I got incomplete http request logged, also observe url as http
method in the log. Then I tried to use offline mode to load pcap file from
command line, I got all requests logged without any issue.

What's the difference between online and offline mode? Using broctl is even
worse than using command line to launch online capture. What's the
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170318/4c7af6ff/attachment.html 

More information about the Bro mailing list