[Bro] can't get the http analyzer to print anything
Chandrashekar, Jaideep
jaideep.chandrashekar at intel.com
Thu Aug 3 10:45:52 PDT 2006
Hi,
This was resolved (the omission was on my part) by using full packet
traces, rather than packet fragments.
So, http-reply on works on traces collected with the -s 0 option in
tcpdump.
cheers,
-jc
-----Original Message-----
From: Vern Paxson [mailto:vern at icir.org]
Sent: Wednesday, August 02, 2006 3:58 PM
To: Chandrashekar, Jaideep
Cc: bro at ICSI.Berkeley.EDU
Subject: Re: [Bro] can't get the http analyzer to print anything
> % bro -r trace_incl-http.pcap http
Confusingly, you need to use
% bro -r trace_incl-http.pcap http-request
to see requests or
% bro -r trace_incl-http.pcap http-reply
to see requests & replies.
You're not the first person to find this confusing, so I think for 1.2
we
should change the scripts around so just using http pulls in full
analysis.
Vern
More information about the Bro
mailing list