[Zeek] http body q.
Dk Jack
dnj0496 at gmail.com
Tue Jul 30 18:37:36 PDT 2019
Uhm! didn't notice that. Thanks for pointing out. Looks like my earlier
experiment on try.bro.org was with another server.
I am getting the same behavior now on my setup and try.bro.org setup with
the two pcaps.
On Tue, Jul 30, 2019 at 5:46 PM Jon Siwek <jsiwek at corelight.com> wrote:
> On Tue, Jul 30, 2019 at 4:04 PM Dk Jack <dnj0496 at gmail.com> wrote:
>
> > However, in my cluster setup, the end_entity event from response body is
> coming first, then log-filter call, followed by end entity call for request.
>
> For the pcap you gave, it looks like that is actually the real order
> of the packets: the client is in the middle of sending the request
> body, but we see the server's OK response before the request is even
> finished (server also starts trying to reset connection at that
> point). So seems like it's weirdness to blame on that particular HTTP
> server? Or do you generally see this same pattern for other servers,
> too?
>
> - Jon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190730/70bc292a/attachment-0001.html
More information about the Zeek
mailing list