[Bro] HTTP responses details are missing
seth at corelight.com
Tue Nov 14 10:49:30 PST 2017
It's most likely that you have had offloaded checksums when you captures
the PCAP. More information here:
On 14 Nov 2017, at 13:09, BortolameottiR wrote:
> Dear all,
> I have a simple question. When I run bro against a .pcap file, it
> happens that some log lines do not show any detail regarding the
> response e.g., response_body_len, status_msg, status_code, resp_fuids
> etc. Is it a problem of the HTTP analyzer?
> I am currently trying to extract all the text/files of all responses,
> however it seems that some connections responses are not parsed by the
> HTTP analyzer.
> I tried to extract the files (following the scripts below), however
> in these settings some "files" where missing. In my case I am talking
> about .css / .html / .js in the response content.
> - https://www.bro.org/sphinx-git/httpmonitor/index.html (at the
> When you look in conn.log, the same connection (according to the id)
> shows the amount of bytes of the response. If you inspect the file
> Wireshark you can also see that there was a response.
> Any idea on what could be the issue?
> I can even share the .pcap if needed.
> Bro mailing list
> bro at bro-ids.org
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro