Blank HTTP logs

Howdy all,

I’ve been running into an issue with the http.log not populating fields (method, host, uri, referrer, UA) when spanned. I’m still getting the status_code and status_msg populated in the http.log and I’ve read an ancient article where Seth says this may be because of TCP checksum offloadin. (!topic/security-onion/12jqLwMShUo).

We currently have rx/tx-checksumming disabled on the ports we’re monitoring but rx/tx-vlan-offload is enabled, could this be the culprit?

The largest entries in the weird.log are windo_recision, data_before_established, and possible_split_routing.

Any help would be much appreciated!

I suspect that your span port is only capturing one direction of the traffic. All of the fields that you said are missing are from the client

Check your conn log to see if you’re seeing orig_pkts or resp_pkts frequently set to zero.


Cool. that’s what I was thinking as well since we’re only seeing resp or orig in the history of the conn.log as well. I’m thinking they spanned and have RX on one port with TX on the other. Thanks for the help!