Folks,
I'm having trouble running the http analyzer (in Bro 1-1) and would
appreciate any help.
Running bro in offline mode with tcpdump file (contains several sessions
on port 80) as
% bro -r trace_incl-http.pcap http
this creates an empty http log. NO http sessions show up!
When I run bro with -t, the tracefile generated does not have any http
events logged.
Digging deeper, I see that in Sessions.cc; NetSessions::NewConn(..)
//----snip-----//
case 1080:
case 3128: // Default port of Squid Proxy Cache.
case 8000:
case 8080:
case 8888:
if ( http_request || http_reply )
c = new HTTP_Conn(this, k, t, id, tp);
//-----snip----//
the condition in the _if_ always evaluates to a false.
*question*: Are http_request and http_reply, which are called here,
defined somewhere? I couldn't grep for them in src/
I'm probably doing something very silly, but non-obvious:)
Any pointers to what I might be missing/doing wrong?
The pcap file and the (-t) trace file are attached.
If it helps, I've attached the tracefile and also the connection log (by
running the conn analyzer; this clearly shows http flows)
Unfortunately, your suggestion doesn't seem to fix it!
% bro -r trace_incl-http.pcap http-request
also creates an empty http.log file (so also using http-reply)
[your mail clarified things somewhat] I see a
...
print http_log fmt(... connection...)
in http-request.bro
which should log the request in http.log
However, i still don't see http-request events being generated in the
(generated with -t) trace file. Also, here's a transcript of running in
the debugger (the "new connection created" is printed in Sessions.cc,
when the HTTP_Conn constructor is called).
// -----
% bro -d -r trace_incl-http.pcap http-request
Policy file debugging ON.
In bro_init() at /local/bro/policy/pcap.bro:99
99 update_default_pcap_filter();
(Bro [0]) break http_request
Setting breakpoint on http_request:
Breakpoint 1 set at http_request
at /local/bro/policy/http-request.bro:60
(Bro [1]) continue
Continuing.
new connection created
new connection created
%
// ----- [end]----
No http_request events triggered.
Any leads as to what I can try?
Also, could you tell me exactly how "events" are called in the source
code (a pointer to an instance where this is done would be great). I'm a
little hazy about how the arguments are passed to the event handler. Is
there an implicit mechanism to pass args?
My confusion stems from http_request being defined as taking 4 args
(http-rw.bif.func_def: run_time("http_request() takes exactly 4
argument(s)")), but I don't see the explicit call anywhere.