http.log mime_type miss match

user13 · June 11, 2014, 8:58am

Hi every one

I am testing some of the music streaming service and found one of them miss matching mime_type compare to Wireshark.

wireshark’s type is audio/mpeg but bro http.log is text/plain

is it bro2.1 is outputting wrong type or do I have to write custom bro script?

this is the bro 2.1 http.log :

Jun 10 09:20:29 6a7HgNEZlOb 192.X.X.X 53796 8.20.213.33 80 1 POST stream66c-he.grooveshark.com /stream.php http://grooveshark.com/static/JSQueue_20140421162423.swf Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36 104 10296924 200 OK - - - (empty) - - - text/plain - -

this is the Wireshark screenshot link

http://ex.narusec.com/data/public/2b0474.php

and this is the pcap file (it’s about 733MB)

http://ex.narusec.com/data/public/23fac8.php

Josh_Liburdi · June 11, 2014, 11:59am

I'm not familiar with how Wireshark determines mime type, but that
version of Bro uses the libmagic database and primarily determines
mime type by searching for a magic number in the first 1024 bytes of
the file. It's possible that Bro incorrectly determined the mime type.

Changes were made in Bro 2.3 to move away from the libmagic db.
Hopefully this means that, in the future, mime type determination will
be more accurate / extensible. Check the release notes for more info
on that: http://www.bro.org/sphinx-git/install/release-notes.html

-Josh

Topic		Replies	Views
Mime-type issues (text/plain and application/x-msdownload) Zeek	5	79	May 6, 2022
Extracting content types of the HTTP responses Zeek	2	87	May 6, 2022
File Analysis Inconsistencies Development development	6	91	May 6, 2022
Sometimes HTTP.log fails to generate from PCAP file Zeek	3	70	May 6, 2022
HTTP responses details are missing Zeek	3	104	May 6, 2022

http.log mime_type miss match

Related Topics