Forgot a subject…
Does tcpdump on the interface see the packets for http traffic you’re expecting? Is the adapter in promiscuous mode? Have you tried running zeek over a pcap with some HTTP data to see if the log is created?
Mike
Hi Craig,
Have you tried disabling NIC offloading features?
https://blog.securityonion.net/2011/10/when-is-full-packet-capture-not-full.html
First, Doug good to ‘hear’ you again.
Second, I disabled the offloading and that seemed to work.
Per Mike’s suggestion, I was using this command
tcpdump -vvAls0 | grep ‘Host:’
to look for http traffic and capture the host names. That’s from this site: https://danielmiessler.com/study/tcpdump/#host
with these two steps, I saw I could view the host name and then I saw the host field being captured in http.log file. Also, was being captured in ssl.log file (although I know it’s called something else in that file) for https sites.
Thanks