[Bro] Blank HTTP logs

Josh Guild josh.guild at morphick.com
Wed Mar 22 12:35:07 PDT 2017

Cool. that's what I was thinking as well since we're only seeing resp or
orig in the history of the conn.log as well. I'm thinking they spanned and
have RX on one port with TX on the other. Thanks for the help!

On Wed, Mar 22, 2017 at 3:07 PM, Seth Hall <seth at corelight.com> wrote:

> I suspect that your span port is only capturing one direction of the
> traffic.   All of the fields that you said are missing are from the client
> Check your conn log to see if you're seeing orig_pkts or resp_pkts
> frequently set to zero.
>   .Seth
> On Wed, Mar 22, 2017 at 2:32 PM Josh Guild <josh.guild at morphick.com>
> wrote:
>> Howdy all,
>> I've been running into an issue with the http.log not populating fields
>> (method, host, uri, referrer, UA) when spanned. I'm still getting the
>> status_code and status_msg populated in the http.log and I've read an
>> ancient article where Seth says this may be because of TCP checksum
>> offloadin. (https://groups.google.com/forum/#!topic/security-onion/
>> 12jqLwMShUo).
>> We currently have rx/tx-checksumming disabled on the ports we're
>> monitoring but rx/tx-vlan-offload is enabled, could this be the culprit?
>> The largest entries in the weird.log are windo_recision,
>> data_before_established, and possible_split_routing.
>> Any help would be much appreciated!
>> --
>> Josh Guild
>> Network Intelligence Analyst
>> <https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170322/412fa63c/attachment.html 

More information about the Bro mailing list