[Bro-Dev] #809: HTTP file extraction not correct

Bro Tracker bro at tracker.bro-ids.org
Thu Apr 12 09:35:50 PDT 2012 

#809: HTTP file extraction not correct
--------------------+---------------------
 Reporter:  dalton  |       Type:  Problem
   Status:  new     |   Priority:  Normal
Milestone:          |  Component:  Bro
  Version:  2.0     |   Keywords:  HTTP
--------------------+---------------------
 I'm trying to use BRO to look at some pipelined HTTP traffic.  I'm asking
 for file extraction but one of the extracted files is the wrong size.  In
 the attached pcap, packet #225 shows the content length as 41931.  In the
 http.log file, I see this:



 1312412117.323323       d8RHszXqnfi     192.168.123.105 37621
 74.208.60.21    80      7       GET     crev.info
 /images/interface/resources.png http://crev.info/       Mozilla/5.0
 (Linux; U; Android 2.2.1; en-us; HTC Dream Build/FRG83) AppleWebKit/533.1
 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1       0
 '''41931'''   200     OK      -       -       -       (empty) -       -
 -       image/png       -       http-
 item_192.168.123.105:37621-74.208.60.21:80_resp_7.dat

 1312412117.710518       d8RHszXqnfi     192.168.123.105 37621
 74.208.60.21    80      8       GET     crev.info
 /images/interface/navbar_li.png http://crev.info/       Mozilla/5.0
 (Linux; U; Android 2.2.1; en-us; HTC Dream Build/FRG83) AppleWebKit/533.1
 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1       0       928
 200     OK      -       -       -       (empty) -       -       -
 application/octet-stream        -       http-
 item_192.168.123.105:37621-74.208.60.21:80_resp_7.dat



 output dir listing:

 ----

 -rw-r--r--  1 dporter dporter   1150 2012-04-10 21:59 http-
 item_192.168.123.105:37621-74.208.60.21:80_resp_10.dat
 -rw-r--r--  1 dporter dporter  60901 2012-04-10 21:59 http-
 item_192.168.123.105:37621-74.208.60.21:80_resp_1.dat
 -rw-r--r--  1 dporter dporter  72217 2012-04-10 21:59 http-
 item_192.168.123.105:37621-74.208.60.21:80_resp_2.dat
 -rw-r--r--  1 dporter dporter    330 2012-04-10 21:59 http-
 item_192.168.123.105:37621-74.208.60.21:80_resp_3.dat
 -rw-r--r--  1 dporter dporter    851 2012-04-10 21:59 http-
 item_192.168.123.105:37621-74.208.60.21:80_resp_4.dat
 -rw-r--r--  1 dporter dporter    716 2012-04-10 21:59 http-
 item_192.168.123.105:37621-74.208.60.21:80_resp_5.dat
 -rw-r--r--  1 dporter dporter   3408 2012-04-10 21:59 http-
 item_192.168.123.105:37621-74.208.60.21:80_resp_6.dat
 -rw-r--r--  1 dporter dporter  '''32931''' 2012-04-10 21:59 http-
 item_192.168.123.105:37621-74.208.60.21:80_resp_7.dat
 -rw-r--r--  1 dporter dporter 771040 2012-04-10 21:59 http-
 item_192.168.123.105:37621-74.208.60.21:80_resp_9.dat

 ----






 The content length is correct in http.log, but the output file
 (..._resp_7) has length 32931.

 Also, why does http.log indicate that both resources.png AND navbar_li.png
 are both written to resp_7.dat ?



 The results from xplico and wireshark when run on this pcap file look
 correct to me.

-- 
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/809>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list