Hi,
I am replaying a pcap to my Zeek sensor, which is basically a file download, when I send the same pcap several times, some fields are missing in some records, the missing fields include, ‘host’, ‘method’, ‘uri’ , here is an example from http.log. As you can see on the first record the address is resolved, the method is GET, but on the second flow both are missing.
First flow: 1714778514.953354 CrYDyP1gjttE2mFIYk 1.1.1.209 49199 95.111.111.132 80 1 GET mywebsite.com /ser0410.bin - - 0 364544 200 OK
Second flow: 1714778516.035952 C1BDOO1lCx9guxV7e2 1.1.1.209 49199 95.111.111.132 80 1 - - /ser0410.bin - - 0 364544 200 OK
If I do the same in Suricata, all the fields are present for all the flows.
Is there any configuration that I am missing?
Thanks!!