[Bro] http incomplete file extraction (Files::ANALYZER_EXTRACT)
Seth Hall
seth at icir.org
Fri Mar 27 11:41:47 PDT 2015
> On Mar 27, 2015, at 9:35 AM, Frank Meier <franky.meier.1 at gmx.de> wrote:
>
> event file_new(f: fa_file)
> {
> Files::add_analyzer(f, Files::ANALYZER_EXTRACT);
> }
Nope, that should work.
> Are there any other events I have to catch to get the complete file?
>
> When I download a test file from [1] with size 3521964 bytes, only 960204 bytes are extracted. I checked with
> wireshark and tcpflow, that the download was completely captured in the pcap,
Could you show me the files.log entry and the associated conn.log entry?
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list