http_request event

What exactly are you doing in your script? Note that "@load http" won't
do it - you need "@load http-request" or "@load http-reply" to get
request/replies, respectively.


Hi Vern,
   Thank you for your reply. I have actually loaded all http-related .bro files,
including http, http-request, http-reply, http-body, etc. I load them in mt.bro
and run Bro: ./bro -i eth0 mt. I then access a web server from the same machine
where Bro is running. http-request and http-reply event handlers have never been
called. Please be noted that I am doing these experiments in a close
environment, a small LAN, which is connected together with a hub and
disconnected from Internet. There are no DNS servers and Gateway here. The
Communicatin is basically point-to-point. Is this environment affecting the
functionality of the http analyzer?



Quoting Vern Paxson <>:

Hi, Bing,

Could you capture a piece of trace using 'tcpdump -w' (using '-s 5000' to make sure complete packets are capture) and run bro over the trace (with -r)? And if it doesn't work, please send us the trace and policy scripts you modified. It will help us understand what the problem is. Thanks!


Hi Ruoming,
   Thank you for your reply. It turns out it is a checksum problem. Please refer
to my description in my lastest email to Vern and this list. Does Bro filters
out or ignore all bad checksum packets?


Quoting Ruoming Pang <rpang@CS.Princeton.EDU>: