Some wrong in "ssl.og"

Hello everyone,
I am using zeek 6.0.0. I monitored the interface through a Zeek cluster with 28 lb_procs by replaying the “all.pcap” file using tcpreplay. Then I find there are “**” in some flows from “ssl.log” as this result:
1691041937.587900 C4YDek4n3ysPyu1Epc 172.28.3.212 51922 221.239.56.138 8443 ** ** ** ** F ** ** F C ** ** ** **
The configuration of node.cfg is:
[manager]
type=manager
host=127.0.0.1
[proxy-1]
type=proxy
host=127.0.0.1
[worker-1]
type=worker
host=127.0.0.1
interface=eno3
lb_method=pf_ring
lb_procs=28
pin_cpus=0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27

Beside, i execute zeek -C -r “all.pcap” to generate “ssl.log” offline, i also find there are “**” in some flows as this result:
1659060023.917768 CkzTYF201DvRkAGAJ 172.28.3.212 51922 221.239.56.138 8443 ** TLS_RSA_WITH_AES_128_CBC_SHA ** ** F ** ** T CsxnGIi 350df0cc8f2b82a86f32e43a9a31c486acd6d4be (empty) **

Then i employed tshark to extract this flow from “all.pcap” as “test.pcap” based on the 5-tuple, and execute zeek -C -r “test.pcap” to generate the “ssl.log”,the result is as fllowed:
1659060023.917768 CsN8ku37wprcCMb7Ab 172.28.3.212 51922 221.239.56.138 8443 TLSv12 TLS_RSA_WITH_AES_128_CBC_SHA - - F - - T CsxnGIi 6f938ed5a27e1c7cb7e30a7c9d919f7eca95f317d38c424b071979d01a4a8c67 (empty) -

It seems this result is right, why there are some “**”? How can i solve this problem to get right result?
Thanks.

Any chance your local.zeek for the replay setup contains something like redef Log::unset_field = "**"; ?

1 Like

Thanks for reply, i do find something like redef Log::unset_field = "**"; in my local.zeek. Just comment this code, i get the right result.