Bro - File Extraction

Mehmet_LEBLEBICI · May 11, 2016, 8:41am

Hello all,

I am using Bro 2.4.1 and want to extract files seen on the network traffic. For this i loaded extract-all-files.bro script in local.bro. However, it does not completely extract files. It seems it stops extracting after some point. This occurs for all file types. I looked at the files.log file and see that total_bytes and seen_bytes fields are not same. I also checked extract file size limit and there is no problem with that. Also, when i save the traffic into a pcap file and issue bro -Cr pcapFile.pcap …/extract-all-files.bro, it extracts files successfully. However, it cannot do so in current/logs/extractFiles directory. I am kind of new to Bro and i am stuck with this problem for about a week. So, any help will be appreciated.

Thanks in advance,

Mehmet Leblebici

johanna · May 17, 2016, 4:57pm

Hello Mehmet,

this sounds a bit like you encountered packet loss and Bro might not have
seen all the data packets, either due to network problems, or because the
CPU was overutilized during life capture.

Did you take a look at the missing_bytes field in files.log and if this is
greater than 0?

Johanna

Topic		Replies	Views
http incomplete file extraction (Files::ANALYZER_EXTRACT) Zeek	8	159	May 6, 2022
File Extraction Gaps Zeek	6	116	May 6, 2022
All file extraction Zeek	1	128	May 6, 2022
File Extraction wierdness Zeek	3	101	May 6, 2022
Extract complete files Zeek	6	131	May 6, 2022

Bro - File Extraction

Related Topics