[
https://bro-tracker.atlassian.net/browse/BIT-1179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110#comment-16110
]
Jon Siwek commented on BIT-1179:
--------------------------------
There's a missing TCP segment in the middle of that pcap that looks like it
would have contained an HTTP reply. And the thing about the HTTP analyzer
seems to be that it stops parsing the rest of the connection if there's a gap
that's not isolated to an HTTP message body. So two files end up being pushed
from the HTTP analyzer over to the file analysis stuff, then the HTTP analyzer
stops parsing anything else due to the missing TCP segment.
Since that seems intentional and it's an HTTP analysis limitation not a file
analysis bug, think there's anything to do here right now?
> HTTP messages missing in files.log
> ----------------------------------
>
> Key: BIT-1179
> URL: https://bro-tracker.atlassian.net/browse/BIT-1179
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Reporter: Robin Sommer
> Assignee: Jon Siwek
> Fix For: 2.3
>
>
> I have a trace with multiple HTTP requests inside a persistent HTTP session.
> for which only the first two appear in files.log, the remaining ones are
> missing. Looks like a bug.
--
This message was sent by Atlassian JIRA
(v6.3-OD-02-026#6318)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
