New to Bro... Question about recording HTTP User Agents

Hi,

I am new to bro and am basically experimenting to see if I can use it to record various HTTP headers and URIs as they transit a network gateway. Right now I am trying to see if I am experimenting with:

bro -r "favorite pcap file" tcp and
bro -r "favorite pcap file" http

to make sure I now what gets recorded in the logs with some of the default policy files. I notice that conn.log gets built just fine when I run the above but I don't seem to get anything in http.log

Any ideas?

Thanks much,

Greg

bro -r "favorite pcap file" http

to make sure I now what gets recorded in the logs with some of the default policy files. I notice that conn.log gets built just fine when I run the above but I don't seem to get anything in http.log

The HTTP processing is split into a bunch of files because there can be
significant performance implications for each type of analysis that you
activate. http.bro is a base script and doesn't activate any logging.
http-request.bro logs requests, but not replies; http-reply.bro logs
both requests and replies. http-header.bro logs headers in requests
and replies, and http-body.bro extracts the items transfered, logging
the first HTTP::content_truncation_limit bytes (default 40).

    Vern