[Bro] Forcing analyser on partial connections
sridhar basam
sridhar.basam at gmail.com
Wed Jun 2 07:23:16 PDT 2010
Tried it on bro 1.5.1 but am unable to get it to run the http analyzer on a
partial trace. I have attached the trace in question to this email, if you
want to try it out.
I am using the following command to get it to pick up the http requests,
"bro -C -f 'tcp' -r partial.pcap http http-request http-reply
Sridhar
On Tue, Jun 1, 2010 at 1:58 PM, sridhar basam <sridhar.basam at gmail.com>wrote:
>
>
> On Tue, Jun 1, 2010 at 1:51 PM, Vern Paxson <vern at icir.org> wrote:
>
>> > I have some very long lived http connections where the capture file
>> doesn't
>> > have the tcp setup packets. Is there a way to force the analyser to run
>> on
>> > such partial connections?
>>
>> Which version of Bro are you using, and with what options? In 1.5.1, the
>> settings are such that HTTP analysis should work on partial connections
>> if you're not running with --use-binpac. (By default, this is indeed
>> off.)
>>
>> Vern
>>
>
> Thanks, i will upgrade to 1.5.1. I am currently using 1.4.
>
> Sridhar
>
--
Sridhar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100602/85c98873/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: partial.pcap
Type: application/octet-stream
Size: 32250 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100602/85c98873/attachment.obj
More information about the Bro
mailing list