Host field empty in http.log

craig_bowser · May 6, 2021, 1:28am

Forgot a subject…

Ankith_Kumar_Hanuman · May 6, 2021, 1:42am

Does tcpdump on the interface see the packets for http traffic you’re expecting? Is the adapter in promiscuous mode? Have you tried running zeek over a pcap with some HTTP data to see if the log is created?
Mike

Doug_Burks · May 6, 2021, 10:19am

Hi Craig,

Have you tried disabling NIC offloading features?
https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html

craig_bowser · May 6, 2021, 2:17pm

First, Doug good to ‘hear’ you again.

Second, I disabled the offloading and that seemed to work.

Per Mike’s suggestion, I was using this command

tcpdump -vvAls0 | grep ‘Host:’

to look for http traffic and capture the host names. That’s from this site: https://danielmiessler.com/study/tcpdump/#host

with these two steps, I saw I could view the host name and then I saw the host field being captured in http.log file. Also, was being captured in ssl.log file (although I know it’s called something else in that file) for https sites.

Thanks

Topic		Replies	Views
Some HTTP fields are empty for the same exact flow Zeek	1	169	May 13, 2024
Bro Not Extracting Host Fields from HTTP Traffic Zeek	4	98	May 6, 2022
Zeek/Bro DNS log missing type Zeek	4	123	May 6, 2022
Blank HTTP logs Zeek	3	147	May 6, 2022
about Zeek	2	74	May 6, 2022

Host field empty in http.log

Related topics