Create different file size from original one in HTTP File-extract

Hey guys,

I’m working on BRO and extracting certain type of files on file systems. My question is Bro often has different file size from original one. So I performed some test with a vanilla BRO only configured like below.
redef HTTP::extract_file_types = /application/.*/;
redef HTTP::extraction_prefix= “/usr/local/bro/logs/http-entity/”

After then I compared with a file from original one while capturing packets.

I found below :
Downloaded file( :

Original file size: 96396 bytes

From Bro: 94119 bytes

Pcap: 96396 bytes

Pcap hasn’t any missed parts but the file from Bro created uncompleted file which doesn’t have last parts of file(2277bytes)

I would appreciate if you provide me any clue or thought for solving it

Thank you*,*

I think that there is a bug in Bro that shows up like this in some cases. This is unlikely a bug that any of us on the core team are likely to look into though because there is new "file" handling code that is coming soon and just generally works better all around.

Sorry for the probably unsatisfactory answer, but things will be even better soon! :slight_smile: