[Bro] http.log missing info
Seth Hall
seth at icir.org
Mon Feb 13 13:58:06 PST 2012
On Feb 13, 2012, at 4:02 PM, Tyler wrote:
> Anything beyond
> that, like the uri, host, UA are missing.
You're missing everything from the client. ;)
> Is there a config option that I did not set correctly? I have
> verified that my networks.cfg is set up correctly and have not
> modified any other settings.
I suspect you have checksum offloading onto your NIC. The behavior when someone runs this on their desktop is that you will see everything from the server since the checksums are set correct, but data from the client (you) will offload checksum creation to the NIC so when libpcap receives the packet it has random data in the checksum field.
Try running Bro with the -C flag to disable checksum validation (but only for testing, you obviously don't want that on live traffic).
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list