[Bro] can't get the http analyzer to print anything
Jaideep Chandrashekar
jaideep.chandrashekar at intel.com
Wed Aug 2 18:47:36 PDT 2006
Vern,
Thanks for the quick turn-around.
Unfortunately, your suggestion doesn't seem to fix it!
% bro -r trace_incl-http.pcap http-request
also creates an empty http.log file (so also using http-reply)
[your mail clarified things somewhat] I see a
...
print http_log fmt(... connection...)
in http-request.bro
which should log the request in http.log
However, i still don't see http-request events being generated in the
(generated with -t) trace file. Also, here's a transcript of running in
the debugger (the "new connection created" is printed in Sessions.cc,
when the HTTP_Conn constructor is called).
// -----
% bro -d -r trace_incl-http.pcap http-request
Policy file debugging ON.
In bro_init() at /local/bro/policy/pcap.bro:99
99 update_default_pcap_filter();
(Bro [0]) break http_request
Setting breakpoint on http_request:
Breakpoint 1 set at http_request
at /local/bro/policy/http-request.bro:60
(Bro [1]) continue
Continuing.
new connection created
new connection created
%
// ----- [end]----
No http_request events triggered.
Any leads as to what I can try?
Also, could you tell me exactly how "events" are called in the source
code (a pointer to an instance where this is done would be great). I'm a
little hazy about how the arguments are passed to the event handler. Is
there an implicit mechanism to pass args?
My confusion stems from http_request being defined as taking 4 args
(http-rw.bif.func_def: run_time("http_request() takes exactly 4
argument(s)")), but I don't see the explicit call anywhere.
cheers,
-jc
On Wed, 2006-08-02 at 15:58 -0700, Vern Paxson wrote:
> > % bro -r trace_incl-http.pcap http
>
> Confusingly, you need to use
>
> % bro -r trace_incl-http.pcap http-request
>
> to see requests or
>
> % bro -r trace_incl-http.pcap http-reply
>
> to see requests & replies.
>
> You're not the first person to find this confusing, so I think for 1.2 we
> should change the scripts around so just using http pulls in full analysis.
>
> Vern
More information about the Bro
mailing list