[Bro] Different behavior between online and offline for http keepalive reqeusts
darkheaven1983 at gmail.com
Fri Mar 17 23:18:20 PDT 2017
I'm trying to capture the http request between client and a http proxy
which is using keepalive to send multiple requests within one connection. I
tried to start a pf_ring cluster and a standalone bro worker using broctl,
and also start bro from command line, I saved the pcap file in the
meantime. I got incomplete http request logged, also observe url as http
method in the log. Then I tried to use offline mode to load pcap file from
command line, I got all requests logged without any issue.
What's the difference between online and offline mode? Using broctl is even
worse than using command line to launch online capture. What's the
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro