[Bro] Different behavior between online and offline for http keepalive reqeusts
duhang
darkheaven1983 at gmail.com
Fri Mar 17 23:18:20 PDT 2017
Hi,
I'm trying to capture the http request between client and a http proxy
which is using keepalive to send multiple requests within one connection. I
tried to start a pf_ring cluster and a standalone bro worker using broctl,
and also start bro from command line, I saved the pcap file in the
meantime. I got incomplete http request logged, also observe url as http
method in the log. Then I tried to use offline mode to load pcap file from
command line, I got all requests logged without any issue.
What's the difference between online and offline mode? Using broctl is even
worse than using command line to launch online capture. What's the
difference?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170318/4c7af6ff/attachment.html
More information about the Bro
mailing list