Host field empty in http.log

Forgot a subject…

Does tcpdump on the interface see the packets for http traffic you’re expecting? Is the adapter in promiscuous mode? Have you tried running zeek over a pcap with some HTTP data to see if the log is created?

Hi Craig,

Have you tried disabling NIC offloading features?

First, Doug good to ‘hear’ you again.

Second, I disabled the offloading and that seemed to work.

Per Mike’s suggestion, I was using this command

tcpdump -vvAls0 | grep ‘Host:’

to look for http traffic and capture the host names. That’s from this site:

with these two steps, I saw I could view the host name and then I saw the host field being captured in http.log file. Also, was being captured in ssl.log file (although I know it’s called something else in that file) for https sites.