Different behavior between online and offline for http keepalive reqeusts


I’m trying to capture the http request between client and a http proxy which is using keepalive to send multiple requests within one connection. I tried to start a pf_ring cluster and a standalone bro worker using broctl, and also start bro from command line, I saved the pcap file in the meantime. I got incomplete http request logged, also observe url as http method in the log. Then I tried to use offline mode to load pcap file from command line, I got all requests logged without any issue.

What’s the difference between online and offline mode? Using broctl is even worse than using command line to launch online capture. What’s the difference?