What exactly are you doing in your script? Note that "@load http" won't
do it - you need "@load http-request" or "@load http-reply" to get
request/replies, respectively.
Vern
Hi Vern,
Thank you for your reply. I have actually loaded all http-related .bro files,
including http, http-request, http-reply, http-body, etc. I load them in mt.bro
and run Bro: ./bro -i eth0 mt. I then access a web server from the same machine
where Bro is running. http-request and http-reply event handlers have never been
called. Please be noted that I am doing these experiments in a close
environment, a small LAN, which is connected together with a hub and
disconnected from Internet. There are no DNS servers and Gateway here. The
Communicatin is basically point-to-point. Is this environment affecting the
functionality of the http analyzer?
thanks
Bing
Quoting Vern Paxson <vern@icir.org>:
Hi, Bing,
Could you capture a piece of trace using 'tcpdump -w' (using '-s 5000' to make sure complete packets are capture) and run bro over the trace (with -r)? And if it doesn't work, please send us the trace and policy scripts you modified. It will help us understand what the problem is. Thanks!
Ruoming
Hi Ruoming,
Thank you for your reply. It turns out it is a checksum problem. Please refer
to my description in my lastest email to Vern and this list. Does Bro filters
out or ignore all bad checksum packets?
Bing
Quoting Ruoming Pang <rpang@CS.Princeton.EDU>: