http.log missing info

Hello all,

  Forgive my question if its basic, but I was not able to find the
answer I was looking for in the docs, FAQ or mailing list archive.

  I just set up bro and am having it just run locally so I can work
with it. I noticed that my http.log file is not recording all the
information for HTTP sessions. It records the connection info (src,
dst, ports) the status_code and msg and thats it. Anything beyond
that, like the uri, host, UA are missing.

  I also noticed that the request body lengths are set to 0. My
conn.log shows the same (request lengths are set to 0). To me this
means that its not seeing the requests go out. I have verified this is
happening with both live analysis and through a recorded pcap which
does contain the requests.

Oddly, if I dl the http.pcap from the second exercise from the 2011
Bro workshop, it does work correctly.

Is there a config option that I did not set correctly? I have
verified that my networks.cfg is set up correctly and have not
modified any other settings.

Tyler

Anything beyond
that, like the uri, host, UA are missing.

You're missing everything from the client. :wink:

Is there a config option that I did not set correctly? I have
verified that my networks.cfg is set up correctly and have not
modified any other settings.

I suspect you have checksum offloading onto your NIC. The behavior when someone runs this on their desktop is that you will see everything from the server since the checksums are set correct, but data from the client (you) will offload checksum creation to the NIC so when libpcap receives the packet it has random data in the checksum field.

Try running Bro with the -C flag to disable checksum validation (but only for testing, you obviously don't want that on live traffic).

  .Seth

That was it! Man, I even read that in the FAQ and didn't think about
it. Thanks!

Tyler