http.log mime_type miss match

Hi every one

I am testing some of the music streaming service and found one of them miss matching mime_type compare to Wireshark.

wireshark’s type is audio/mpeg but bro http.log is text/plain

is it bro2.1 is outputting wrong type or do I have to write custom bro script?

this is the bro 2.1 http.log :

Jun 10 09:20:29 6a7HgNEZlOb 192.X.X.X 53796 80 1 POST /stream.php Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 104 10296924 200 OK - - - (empty) - - - text/plain - -

this is the Wireshark screenshot link

and this is the pcap file (it’s about 733MB)

I'm not familiar with how Wireshark determines mime type, but that
version of Bro uses the libmagic database and primarily determines
mime type by searching for a magic number in the first 1024 bytes of
the file. It's possible that Bro incorrectly determined the mime type.

Changes were made in Bro 2.3 to move away from the libmagic db.
Hopefully this means that, in the future, mime type determination will
be more accurate / extensible. Check the release notes for more info
on that: