[Zeek] Sometimes HTTP.log fails to generate from PCAP file

[Charles A Fair]

Try this on your pcap file to see all analyzed events:

Bro Dump Events policy script:

bro -C -r file.pcap policy/misc/dump-events.bro

I would also expect if your trace is a partial capture that Bro will create a weird log entry with a description of what’s going on.

Charles “Chuck” A. Fair
chuck.fair at perched.io



Chuck 
> On Aug 8, 2019, at 2:42 PM, Jonah Burgess <jburgess03 at qub.ac.uk> wrote:
> 
> Hi Everyone,
>  
> This is my first time using this mailing list so I apologise in advance if I’ve followed the wrong format/protocol etc.
>  
> I am doing some malware research and making use of the HTTP.log generated by Bro. I’ve noticed some PCAPs fail to generate a HTTP log. I’ve looked at a couple of examples and thought maybe it is because there is no SYN-ACK before the HTTP connection in the PCAP (the researcher who generated the PCAP may have cut this out or not captured it).
>  
> Can anybody confirm why the HTTP.log fails to generate (is it the missing SYN-ACK at the start?) and advise if there is some way I can still extract the HTTP traffic from the PCAP using Bro (since it’s clearly all visible in Wireshark).
>  
> Note: I’m unable to attach screenshots of any of the problematic PCAPs due to email size..
>  
> Thanks in advance,
> Jonah (@_CryptoCat)
>  
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190810/03ee49d3/attachment.html