[Bro] http.log missing info
Tyler
tyler at hudakville.com
Mon Feb 13 15:27:20 PST 2012
That was it! Man, I even read that in the FAQ and didn't think about
it. Thanks!
Tyler
On 02/13/2012 04:58 PM, Seth Hall wrote:
>
> On Feb 13, 2012, at 4:02 PM, Tyler wrote:
>
>> Anything beyond
>> that, like the uri, host, UA are missing.
>
> You're missing everything from the client. ;)
>
>> Is there a config option that I did not set correctly? I have
>> verified that my networks.cfg is set up correctly and have not
>> modified any other settings.
>
>
> I suspect you have checksum offloading onto your NIC. The behavior when someone runs this on their desktop is that you will see everything from the server since the checksums are set correct, but data from the client (you) will offload checksum creation to the NIC so when libpcap receives the packet it has random data in the checksum field.
>
> Try running Bro with the -C flag to disable checksum validation (but only for testing, you obviously don't want that on live traffic).
>
> .Seth
>
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
More information about the Bro
mailing list