Hi,
Given a trace with all traffic, is it possible to use Bro to produce a
trace with just the HTTP traffic? Any hints would be appreciated.
Thanks and best regards,
Archit
No, not directly (one of the reasons is that DPD may take the
decision whether a connection uses HTTP only after a couple of
packets have already passed; it buffers the payload so that it can
still analyze the full HTTP session but it does not keep the headers
so that they could be written out into another trace file).
But perhaps you can use Bro to find all the HTTP connections and
then extract them in a second post-processing step. Either you
browse through the notices reported, or you add an event handler for
protocol_confirmation (also see detect-protocols.bro) which then
adds some tag to the connection summaries in conn.log .
Robin