I have a simple question. When I run bro against a .pcap file, it
happens that some log lines do not show any detail regarding the
response e.g., response_body_len, status_msg, status_code, resp_fuids
etc. Is it a problem of the HTTP analyzer?
I am currently trying to extract all the text/files of all responses,
however it seems that some connections responses are not parsed by the
HTTP analyzer.
I tried to extract the files (following the scripts below), however also
in these settings some "files" where missing. In my case I am talking
about .css / .html / .js in the response content.
Thanks for the suggestion. That's was not the case. While I was
debugging I saw that most connections without files where missing bytes
(in the conn.log) and where present in the weird.log due to truncated TCP.
The .pcap in question was generated by replaying a capture (with tcp
replay), and we have injected some traffic in it. Bro apparently did not
like it. With the original .pcap we did not encounter this issue.
