<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Seems to capture fine when I do it on my instance of Zeek 3.0. Perhaps you’re not capturing the full packet?<div class=""><br class=""></div><div class=""><a href="https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html" class="">https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html</a></div><div class=""><br class=""></div><div class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Oct 17, 2019, at 6:47 PM, Justin Azoff <<a href="mailto:justin@corelight.com" class="">justin@corelight.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Is that request not on port 80? You are probably hitting <a href="https://github.com/zeek/zeek/issues/343" class="">https://github.com/zeek/zeek/issues/343</a> Does the problem go away if you set dpd_buffer_size to 4096 ?</div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Oct 17, 2019 at 5:51 PM Yi Zhu <<a href="mailto:yizhu@shapesecurity.com" class="">yizhu@shapesecurity.com</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr" class="">Hi,<div class=""><br class=""></div><div class="">We are using zeek 3.0.0.</div><div class="">We found that zeek drops requests with large harders.</div><div class="">Is it possible to make zeek catch such requests?</div><div class="">For example,</div><div class=""><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class="">curl -k -i -vv -X GET <a href="http://test/login" target="_blank" class="">http://test/login</a> \</div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class="">-H 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; YPC 3.2.0; SearchSystem6829992239; SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461; SearchSystem9092363703; SearchSystem6992236221; SearchSystem3507700306; SearchSystem1129983453; SearchSystem1077927937; SearchSystem2297142691; SearchSystem7813572891; SearchSystem5668754497; SearchSystem6220295595; SearchSystem4157940963; SearchSystem7656671655; SearchSystem2865656762; SearchSystem6520604676; SearchSystem4960161466; .NET CLR 1.1.4322; .NET CLR 2.0.50727; Hotbar 10.2.232.0; SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461; SearchSystem9092363703; SearchSystem6992236221; SearchSystem3507700306; SearchSystem1129983453; SearchSystem1077927937; SearchSystem2297142691; SearchSystem7813572891; SearchSystem5668754497; SearchSystem6220295595; SearchSystem4157940963; SearchSystem7656671655; SearchSystem2865656762; SearchSystem6520604676; SearchSystem4960161466; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)' \</div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class="">-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \</div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class="">-H 'Accept-Language: en-US,en;q=0.5' --compressed \</div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class="">-H 'Content-Type: application/x-www-form-urlencoded' \</div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class="">-H 'Connection: keep-alive' \</div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class="">-H 'Upgrade-Insecure-Requests: 1' \</div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class="">-H 'Pragma: no-cache' \</div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class="">-H 'Cache-Control: no-cache' \</div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class="">-H 'True-Client-Ip: 2.18.114.25' \</div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class="">--data 'user=dasD</div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class=""><br class=""></div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class="">After I reduced the header size, zeek can catch it.</div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class="">For example,</div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class="">curl -k -i -vv -X GET <a href="http://test/login" target="_blank" class="">http://test/login</a> \<br class="">-H 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; YPC 3.2.0; SearchSystem6829992239; SearchSystem9616306563; SearchSystem6017393645; SearchSystem5219240075; SearchSystem2768350104; SearchSystem6919669052; SearchSystem1986739074; SearchSystem1555480186; SearchSystem3376893470; SearchSystem9530642569; SearchSystem4877790286; SearchSystem8104932799; SearchSystem2313134663; SearchSystem1545325373; SearchSystem7742471461;<br class="">SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471462;<br class="">SearchSystem2313134663; SearchSystem1545325372; SearchSystem7742471461;<br class="">SearchSystem2313134663;x)' \<br class="">-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \<br class="">-H 'Accept-Language: en-US,en;q=0.5' --compressed \<br class="">-H 'Content-Type: application/x-www-form-urlencoded' \<br class="">-H 'Connection: keep-alive' \<br class="">-H 'Upgrade-Insecure-Requests: 1' \<br class="">-H 'Pragma: no-cache' \<br class="">-H 'Cache-Control: no-cache' \<br class="">-H 'True-Client-Ip: 2.18.114.25' \<br class="">--data 'user=dasD'<br class=""></div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class=""><br class=""></div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class="">Thanks,</div><div style="margin: 0px; font-variant-numeric: normal; font-variant-east-asian: normal; font-stretch: normal; font-size: 12px; line-height: normal; font-family: "Helvetica Neue";" class="">Yi</div></div></div>
_______________________________________________<br class="">
Zeek mailing list<br class="">
<a href="mailto:zeek@zeek.org" target="_blank" class="">zeek@zeek.org</a><br class="">
<a href="http://mailman.icsi.berkeley.edu/mailman/listinfo/zeek" rel="noreferrer" target="_blank" class="">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div><br clear="all" class=""><div class=""><br class=""></div>-- <br class=""><div dir="ltr" class="gmail_signature"><div dir="ltr" class="">Justin</div></div>
_______________________________________________<br class="">Zeek mailing list<br class=""><a href="mailto:zeek@zeek.org" class="">zeek@zeek.org</a><br class="">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</div></blockquote></div><br class=""></div></body></html>