I have some very long lived http connections where the capture file doesn’t have the tcp setup packets. Is there a way to force the analyser to run on such partial connections? Anyway to twiddle the connection recods to run the analyser you want?
thanks
I have some very long lived http connections where the capture file doesn't
have the tcp setup packets. Is there a way to force the analyser to run on
such partial connections?
Which version of Bro are you using, and with what options? In 1.5.1, the
settings are such that HTTP analysis should work on partial connections
if you're not running with --use-binpac. (By default, this is indeed off.)
Vern
Thanks, i will upgrade to 1.5.1. I am currently using 1.4.
Sridhar
Tried it on bro 1.5.1 but am unable to get it to run the http analyzer on a partial trace. I have attached the trace in question to this email, if you want to try it out.
I am using the following command to get it to pick up the http requests, "bro -C -f ‘tcp’ -r partial.pcap http http-request http-reply
Sridhar
partial.pcap (31.5 KB)
Tried it on bro 1.5.1 but am unable to get it to run the http analyzer on a
partial trace. I have attached the trace in question to this email, if you
want to try it out.
Oops, I now see that I was running on a modified 1.5.1 that was specifically
hacked a while ago to avoid this problem too! Patched appended.
Vern
Index: src/HTTP.cc