[Bro] http incomplete file extraction (Files::ANALYZER_EXTRACT)
Frank Meier
franky.meier.1 at gmx.de
Fri Mar 27 06:35:29 PDT 2015
Hi!
I am relatively new to bro so please excuse me, if I missed the obvious solution.
I want to extract files downloaded via http from a pcap-file, but the files I download are never extracted completely.
They seem to be truncated at ~1 mb. My bro-script is quite simple:
event file_new(f: fa_file)
{
Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
}
Are there any other events I have to catch to get the complete file?
When I download a test file from [1] with size 3521964 bytes, only 960204 bytes are extracted. I checked with
wireshark and tcpflow, that the download was completely captured in the pcap,
I tested with Bro 2.3.2 and the current dev version from git.
have a nice weekend!
Franky
[1] http://ipv4.download.thinkbroadband.com/5MB.zip
More information about the Bro
mailing list