[Zeek] Sometimes HTTP.log fails to generate from PCAP file
Jonah Burgess
jburgess03 at qub.ac.uk
Thu Aug 8 12:42:10 PDT 2019
Hi Everyone,
This is my first time using this mailing list so I apologise in advance if I’ve followed the wrong format/protocol etc.
I am doing some malware research and making use of the HTTP.log generated by Bro. I’ve noticed some PCAPs fail to generate a HTTP log. I’ve looked at a couple of examples and thought maybe it is because there is no SYN-ACK before the HTTP connection in the PCAP (the researcher who generated the PCAP may have cut this out or not captured it).
Can anybody confirm why the HTTP.log fails to generate (is it the missing SYN-ACK at the start?) and advise if there is some way I can still extract the HTTP traffic from the PCAP using Bro (since it’s clearly all visible in Wireshark).
Note: I’m unable to attach screenshots of any of the problematic PCAPs due to email size..
Thanks in advance,
Jonah (@_CryptoCat)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190808/008b345c/attachment.html
More information about the Zeek
mailing list