[Bro] Bro - File Extraction
Johanna Amann
johanna at icir.org
Tue May 17 09:57:51 PDT 2016
Hello Mehmet,
this sounds a bit like you encountered packet loss and Bro might not have
seen all the data packets, either due to network problems, or because the
CPU was overutilized during life capture.
Did you take a look at the missing_bytes field in files.log and if this is
greater than 0?
Johanna
On Wed, May 11, 2016 at 11:41:01AM +0300, Mehmet LEBLEBİCİ wrote:
> Hello all,
>
> I am using Bro 2.4.1 and want to extract files seen on the network traffic.
> For this i loaded extract-all-files.bro script in local.bro. However, it
> does not completely extract files. It seems it stops extracting after some
> point. This occurs for all file types. I looked at the files.log file and
> see that total_bytes and seen_bytes fields are not same. I also checked
> extract file size limit and there is no problem with that. Also, when i
> save the traffic into a pcap file and issue bro -Cr pcapFile.pcap
> ...../extract-all-files.bro, it extracts files successfully. However, it
> cannot do so in current/logs/extractFiles directory. I am kind of new to
> Bro and i am stuck with this problem for about a week. So, any help will be
> appreciated.
>
> Thanks in advance,
>
>
> Mehmet Leblebici
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list