I want to reassemble the http-content for various streams. Right now I have been able to generically reassembled all of the content, but with mixed results. The plaintext content seems to be reassembling fine, however, binary content has had mixed results. I have successfully reassembled several gifs (minus a newline), but others I have not. Looking at the hexdump of the content output, it seems like some gifs are being outputed in ASCII Hex, and others real binary. I then looked at the packet captures, and ethereal is showing the binary of the gifs. The subtle difference that I have noticed is that the successful gifs do not have any "X-..." optional headers in them, whereas those that are failing have had "X-Cache" and "X-Pad" for example.
Any thoughts on why Bro changes its output based on the optional headers? Or why it could be sometimes outputting binary and others ASCII Hex?
Any thoughts on why Bro changes its output based on the optional
headers?
This almost for sure isn't the problem, as I don't believe there's any
code relating to looking at the headers in this regard.
I kinda figured that, but just wanted to make sure.
Or why it could be sometimes outputting binary and others
ASCII Hex?
How are you using/printing the values recovered by Bro? Best bet is that
you're running into Bro introducing some escape sequences.
I am storing the values as strings and printing to an open file. I was concatenating the data using the fmt() command. Given what you said, I switched to the cat () function and that works. Thanks for making me think about it more.
The only thing I am still noticing is that with a print it appends a newline to each print statement. Is there anyway to prevent this?