[
https://bro-tracker.atlassian.net/browse/BIT-809?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Seth Hall updated BIT-809:
--------------------------
Resolution: Fixed
Status: Closed (was: Open)
I just tested and this bug no longer exists in Bro. There was a lot of work
done on internal file handling for the 2.4 release.
> HTTP file extraction not correct
> --------------------------------
>
> Key: BIT-809
> URL: https://bro-tracker.atlassian.net/browse/BIT-809
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.0
> Reporter: dalton
> Labels: HTTP
>
> I'm trying to use BRO to look at some pipelined HTTP traffic. I'm asking for
> file extraction but one of the extracted files is the wrong size. In the
> attached pcap, packet BIT-225 shows the content length as 41931. In the
> http.log file, I see this:
>
> 1312412117.323323 d8RHszXqnfi 192.168.123.105 37621 74.208.60.21
> 80 7 GET crev.info /images/interface/resources.png
> http://crev.info/ Mozilla/5.0 (Linux; U; Android 2.2.1; en-us; HTC
> Dream Build/FRG83) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile
> Safari/533.1 0 *41931* 200 OK \\- \\- \\-
> (empty) \\- \\- \\- image/png \\-
> http-item_192.168.123.105:37621-74.208.60.21:80_resp_7.dat
> 1312412117.710518 d8RHszXqnfi 192.168.123.105 37621 74.208.60.21
> 80 8 GET crev.info /images/interface/navbar_li.png
> http://crev.info/ Mozilla/5.0 (Linux; U; Android 2.2.1; en-us; HTC
> Dream Build/FRG83) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile
> Safari/533.1 0 928 200 OK \\- \\- \\-
> (empty) \\- \\- \\- application/octet-stream \\-
> http-item_192.168.123.105:37621-74.208.60.21:80_resp_7.dat
>
> output dir listing:
> \---\-
> \-rw-r--r-\- 1 dporter dporter 1150 2012-04-10 21:59
> http-item_192.168.123.105:37621-74.208.60.21:80_resp_10.dat
> \-rw-r--r-\- 1 dporter dporter 60901 2012-04-10 21:59
> http-item_192.168.123.105:37621-74.208.60.21:80_resp_1.dat
> \-rw-r--r-\- 1 dporter dporter 72217 2012-04-10 21:59
> http-item_192.168.123.105:37621-74.208.60.21:80_resp_2.dat
> \-rw-r--r-\- 1 dporter dporter 330 2012-04-10 21:59
> http-item_192.168.123.105:37621-74.208.60.21:80_resp_3.dat
> \-rw-r--r-\- 1 dporter dporter 851 2012-04-10 21:59
> http-item_192.168.123.105:37621-74.208.60.21:80_resp_4.dat
> \-rw-r--r-\- 1 dporter dporter 716 2012-04-10 21:59
> http-item_192.168.123.105:37621-74.208.60.21:80_resp_5.dat
> \-rw-r--r-\- 1 dporter dporter 3408 2012-04-10 21:59
> http-item_192.168.123.105:37621-74.208.60.21:80_resp_6.dat
> \-rw-r--r-\- 1 dporter dporter *32931* 2012-04-10 21:59
> http-item_192.168.123.105:37621-74.208.60.21:80_resp_7.dat
> \-rw-r--r-\- 1 dporter dporter 771040 2012-04-10 21:59
> http-item_192.168.123.105:37621-74.208.60.21:80_resp_9.dat
> \---\-
>
>
> The content length is correct in http.log, but the output file (..._resp_7)
> has length 32931.
> Also, why does http.log indicate that both resources.png AND navbar_li.png
> are both written to resp_7.dat ?
>
> The results from xplico and wireshark when run on this pcap file look correct
> to me.
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-02-259#70102)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
