can't get the http analyzer to print anything

   I'm having trouble running the http analyzer (in Bro 1-1) and would
appreciate any help.

Running bro in offline mode with tcpdump file (contains several sessions
on port 80) as

% bro -r trace_incl-http.pcap http

this creates an empty http log. NO http sessions show up!

When I run bro with -t, the tracefile generated does not have any http
events logged.

Digging deeper, I see that in; NetSessions::NewConn(..)

  case 1080:
  case 3128: // Default port of Squid Proxy Cache.
  case 8000:
  case 8080:
  case 8888:
    if ( http_request || http_reply )
      c = new HTTP_Conn(this, k, t, id, tp);


the condition in the _if_ always evaluates to a false.

*question*: Are http_request and http_reply, which are called here,
defined somewhere? I couldn't grep for them in src/

I'm probably doing something very silly, but non-obvious:)

Any pointers to what I might be missing/doing wrong?
The pcap file and the (-t) trace file are attached.

If it helps, I've attached the tracefile and also the connection log (by
running the conn analyzer; this clearly shows http flows)



bro.trace (16.8 KB)

conn.log (3.88 KB)

% bro -r trace_incl-http.pcap http

Confusingly, you need to use

  % bro -r trace_incl-http.pcap http-request

to see requests or

  % bro -r trace_incl-http.pcap http-reply

to see requests & replies.

You're not the first person to find this confusing, so I think for 1.2 we
should change the scripts around so just using http pulls in full analysis.


   Thanks for the quick turn-around.

Unfortunately, your suggestion doesn't seem to fix it!
% bro -r trace_incl-http.pcap http-request
   also creates an empty http.log file (so also using http-reply)

[your mail clarified things somewhat] I see a
  print http_log fmt(... connection...)
    in http-request.bro
which should log the request in http.log

However, i still don't see http-request events being generated in the
(generated with -t) trace file. Also, here's a transcript of running in
the debugger (the "new connection created" is printed in,
when the HTTP_Conn constructor is called).

// -----
% bro -d -r trace_incl-http.pcap http-request
Policy file debugging ON.
In bro_init() at /local/bro/policy/pcap.bro:99
99 update_default_pcap_filter();
(Bro [0]) break http_request
Setting breakpoint on http_request:
Breakpoint 1 set at http_request
at /local/bro/policy/http-request.bro:60
(Bro [1]) continue
new connection created
new connection created
// ----- [end]----
No http_request events triggered.

Any leads as to what I can try?

Also, could you tell me exactly how "events" are called in the source
code (a pointer to an instance where this is done would be great). I'm a
little hazy about how the arguments are passed to the event handler. Is
there an implicit mechanism to pass args?
My confusion stems from http_request being defined as taking 4 args
(http-rw.bif.func_def: run_time("http_request() takes exactly 4
argument(s)")), but I don't see the explicit call anywhere.