[Zeek] Sometimes HTTP.log fails to generate from PCAP file

Jon Siwek jsiwek at corelight.com
Thu Aug 8 13:18:10 PDT 2019


On Thu, Aug 8, 2019 at 12:44 PM Jonah Burgess <jburgess03 at qub.ac.uk> wrote:

> Can anybody confirm why the HTTP.log fails to generate (is it the missing SYN-ACK at the start?)

Yes, that's likely the reason -- the HTTP parser (or any parser
really) don't make an attempt to (re)synchronize with the HTTP
protocol in the case we may be starting somewhere in the middle of the
TCP stream.

> and advise if there is some way I can still extract the HTTP traffic from the PCAP using Bro (since it’s clearly all visible in Wireshark).

Not out of the box, but attached is a patch that removes the checks
which currently cause the HTTP analysis to be skipped for such
connections. If all that's missing is the TCP handshake, then the
http.log produced with the patched version I think will be the same or
similar enough to if the handshake were there.  If there's more
packets missing than that, it will likely still fail to parse out much
HTTP data.

- Jon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: http-partial.patch
Type: application/octet-stream
Size: 717 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190808/7d2841d7/attachment.obj 


More information about the Zeek mailing list