I have a simple question. When I run bro against a .pcap file, it
happens that some log lines do not show any detail regarding the
response e.g., response_body_len, status_msg, status_code, resp_fuids
etc. Is it a problem of the HTTP analyzer?
I am currently trying to extract all the text/files of all responses,
however it seems that some connections responses are not parsed by the
I tried to extract the files (following the scripts below), however also
in these settings some "files" where missing. In my case I am talking
about .css / .html / .js in the response content.
It's most likely that you have had offloaded checksums when you captures the PCAP. More information here:
Thanks for the suggestion. That's was not the case. While I was
debugging I saw that most connections without files where missing bytes
(in the conn.log) and where present in the weird.log due to truncated TCP.
The .pcap in question was generated by replaying a capture (with tcp
replay), and we have injected some traffic in it. Bro apparently did not
like it. With the original .pcap we did not encounter this issue.
So the problem was not in Bro.