Hi,
I installed Zeek for the first time today.
I want to monitor HTTP and HTTPS traffic using Zeek’s logs.
I successfully sent Zeek’s http.log to Graylog using Filebeat and set up monitoring, but the log entries always show request_body_len and response_body_len values as 0.
I’ve searched through the manuals and knowledge base for a long time, but I couldn’t find a clear answer. What should I do?
Hello @kimsw , welcome.
I’ve searched through the manuals and knowledge base for a long time, but I couldn’t find a clear answer. What should I do?
Would you be able to capture an individual or a few of these HTTP transactions using tcpdump or wireshark and provide a pcap file? For HTTP requests (particularly GET) 0 isn’t unusual. For responses it might, but would need to look at the actual traffic.
You can also have zeek process the pcap using zeek -C -r <pcap file> and see how the produced http.log looks like.
Hope this helps,
Arne
I solved this issue.
I’m currently testing on a virtual machine, and it turned out to be due to TCP checksum offload.
By setting redef ignore_checksums = T;, I got the desired results.
Thank you.