I’m having an issue where Bro is not extracting the host field correctly from captured HTTP traffic (in the form of a PCAP). I’ve verified it has nothing to do with split-routing. I also manually examined the PCAP file using Wireshark and found the host field to be present in all instances. I am a bit puzzled. This is significant for our use case because we will be using Bro to monitor for malicious URLs and the like.
I have my http.log, weird.log, and the PCAP file itself. Unfortunately, I cannot attach the PCAP due to its size and the mail list rejecting the message. Please reply and I will send the PCAP individually.
Any advice is appreciated.
http.log (13.6 KB)
weird.log (35.4 KB)
It looks like it is missing the entire request. It's not missing the host field, it's missing every single field from the client request.
method,host,uri,referrer,user_agent,request_body_len are all missing.
Are you running bro on the machine making the outbound connections? I'm guessing that 130.85.70.132 is your desktop machine.
If you look inside your reporter.log, is there a warning about tcp checksums?
Thanks Justin, that was the problem.
I have two follow-up questions. Can a NIC card handle calculating checksums for all packets instead of offloading to the CPU or would disabling offloading result in dropped packets? Is it preferable to have Bro ignore the checksums instead?
I understand this is a general question but I’m having trouble benchmarking a 10Gb/s capture card.
This is only an issue when you are running bro on the same machine that is generating the traffic. Hook up bro to a tap or a span port and the checksums will be correct.