Hi,
I have a unique situation where I am receiving traffic traffic from two interfaces eth0 and eth1.
I’ve modified the node.cfg file to distribute the traffic to multiple workers i.e. two workers for eth0
and two workers for eth1. The interface eth0 receives HTTP traffic and the interface eth1 is
receiving HTTPS traffic. The tricky parties, both interfaces are actually receiving the same traffic
i.e. same 5-tuple (src.ip/port, dst.ip/port, protocol). The port number for the plain HTTP traffic is
also rcvd on port 443. The diagram below shows the details:
That port doesn't matter...
Does that decryption device send correct tcp checksums? The lack of proper checksums would explain why most of the traffic is missing.
See https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums
If the traffic was being received on the same interface I'd say that this probably wouldn't work at all since the tcp reassembler would get horribly confused, but since separate processes are receiving the different streams I think it should work.
you say that the unencrypted connections are not showing up in http.log, are they showing up in the conn.log?