[Bro] http-<x> and empty http.log
Robin Sommer
robin at icir.org
Thu Sep 27 09:46:36 PDT 2007
On Thu, Sep 27, 2007 at 10:50 -0400, Reed Porada wrote:
> In trying to get the contents of http sessions, I have run http-
> body.bro against a pcap, and there is not output to http.log. This
> is the same with most http-<x> scripts, except http-reply.
The HTTP scripts are a bit different from other analyzers in the
sense that they are "incremental", i.e., you typically need to load
more than one depending on which parts of the HTTP sessions you want
to analyze.
The minimum is http-request.bro which analyzes client-side requests.
You can add http-reply.bro to also see the response code of the
servers. Then you can further add, e.g., http-body.bro, to get the
session payload and/or http-header.bro to see all HTTP headers.
So, in your case, this should do the trick:
bro -r trace http-request http-reply http-body
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list