<html><body><div style="color:#000; background-color:#fff; font-family:arial, helvetica, sans-serif;font-size:13px"><div id="yui_3_16_0_1_1443713322019_4287" class=""><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4326">Hi Victor,</font></div><div class="" style="font-family: Helvetica; font-size: 12px;" id="yui_3_16_0_1_1443713322019_4328"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4330"><br class="" id="yui_3_16_0_1_1443713322019_4332"></font></div><div class="" style="font-family: Helvetica; font-size: 12px;" id="yui_3_16_0_1_1443713322019_4334"><span style="font-size: 14px; font-family: Times;" id="yui_3_16_0_1_1443713322019_4789">I am using Suricata(and ELK) to capture and analyze network packets. </span><br></div><div class="" style="font-family: Helvetica; font-size: 12px;" id="yui_3_16_0_1_1443713322019_4342"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4344"><br class="" id="yui_3_16_0_1_1443713322019_4346"></font></div><div class="" style="font-family: Helvetica; font-size: 12px;" id="yui_3_16_0_1_1443713322019_4348"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4350">I facing an issue with http packet capture. My http.log(and eve.json) is empty. I have verified with wireshark capture that http packets can be seen from the host. It’s just that suricata is not able to populate http.log.</font></div><div class="" style="font-family: Helvetica; font-size: 12px;" id="yui_3_16_0_1_1443713322019_4352"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4354">I was wondering, if you could give me some valuable inputs to troubleshoot this issue??</font></div><div class="" style="font-family: Helvetica; font-size: 12px;" id="yui_3_16_0_1_1443713322019_4356"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4358"><br class="" id="yui_3_16_0_1_1443713322019_4360"></font></div><div class="" style="font-family: Helvetica; font-size: 12px;" id="yui_3_16_0_1_1443713322019_4362"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4364">Physical setup : </font></div><div class="" style="font-family: Helvetica; font-size: 12px;" id="yui_3_16_0_1_1443713322019_4366" dir="ltr"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4368">- Packets are duplicated and sent to the Ubuntu server with suricata. A splitter, which sits between the border router and ISP(Similar to SPAN), sends the duplicate traffic to to our IDS server.</font></div><div class="" style="font-family: Helvetica; font-size: 12px;" id="yui_3_16_0_1_1443713322019_4370"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4372">- We are using a <a href="http://web/~doc/progs/MoinMoin/wiki-moinmoin/moin.cgi/SuperMicro" class="" style="text-decoration: none;" id="yui_3_16_0_1_1443713322019_4374"><span class="" style="color: rgb(17, 85, 204); vertical-align: baseline; white-space: pre-wrap;" id="yui_3_16_0_1_1443713322019_4376">SuperMicro</span></a><span class="" style="vertical-align: baseline; white-space: pre-wrap;" id="yui_3_16_0_1_1443713322019_4378"> Xenon A+ 1042G-TF Server. A 10G FC port(eth2) is used for packet capture.</span></font></div><div class="" style="font-family: Helvetica; font-size: 12px;" id="yui_3_16_0_1_1443713322019_4380"><span class="" style="vertical-align: baseline; white-space: pre-wrap; font-size: 14px;" id="yui_3_16_0_1_1443713322019_4382"><font face="Times" class="" id="yui_3_16_0_1_1443713322019_4384">- All offloading is disabled as following :</font></span></div><div class="" style="font-family: Helvetica; font-size: 12px;" id="yui_3_16_0_1_1443713322019_4386"><span class="" style="vertical-align: baseline; white-space: pre-wrap; font-size: 14px;" id="yui_3_16_0_1_1443713322019_4388"><font face="Times" class="" id="yui_3_16_0_1_1443713322019_4390"><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4392">khushal@hermes:/var/log/suricata$ sudo ethtool -k eth2</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4394">Features for eth2:</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4396">rx-checksumming: off</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4398">tx-checksumming: off</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4400"><span class="" style="white-space:pre-wrap;" id="yui_3_16_0_1_1443713322019_4402"> </span>tx-checksum-ipv4: off</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4404"><span class="" style="white-space:pre-wrap;" id="yui_3_16_0_1_1443713322019_4406"> </span>tx-checksum-ip-generic: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4408"><span class="" style="white-space:pre-wrap;" id="yui_3_16_0_1_1443713322019_4410"> </span>tx-checksum-ipv6: off</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4412"><span class="" style="white-space:pre-wrap;" id="yui_3_16_0_1_1443713322019_4414"> </span>tx-checksum-fcoe-crc: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4416"><span class="" style="white-space:pre-wrap;" id="yui_3_16_0_1_1443713322019_4418"> </span>tx-checksum-sctp: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4420">scatter-gather: off</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4422"><span class="" style="white-space:pre-wrap;" id="yui_3_16_0_1_1443713322019_4424"> </span>tx-scatter-gather: off</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4426"><span class="" style="white-space:pre-wrap;" id="yui_3_16_0_1_1443713322019_4428"> </span>tx-scatter-gather-fraglist: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4430">tcp-segmentation-offload: off</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4432"><span class="" style="white-space:pre-wrap;" id="yui_3_16_0_1_1443713322019_4434"> </span>tx-tcp-segmentation: off</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4436"><span class="" style="white-space:pre-wrap;" id="yui_3_16_0_1_1443713322019_4438"> </span>tx-tcp-ecn-segmentation: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4440"><span class="" style="white-space:pre-wrap;" id="yui_3_16_0_1_1443713322019_4442"> </span>tx-tcp6-segmentation: off</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4444">udp-fragmentation-offload: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4446">generic-segmentation-offload: off</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4448">generic-receive-offload: off</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4450">large-receive-offload: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4452">rx-vlan-offload: on [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4454">tx-vlan-offload: on [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4456">ntuple-filters: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4458">receive-hashing: off</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4460">highdma: on [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4462">rx-vlan-filter: on [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4464">vlan-challenged: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4466">tx-lockless: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4468">netns-local: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4470">tx-gso-robust: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4472">tx-fcoe-segmentation: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4474">tx-gre-segmentation: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4476">tx-ipip-segmentation: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4478">tx-sit-segmentation: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4480">tx-udp_tnl-segmentation: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4482">tx-mpls-segmentation: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4484">fcoe-mtu: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4486">tx-nocache-copy: on</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4488">loopback: off</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4490">rx-fcs: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4492">rx-all: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4494">tx-vlan-stag-hw-insert: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4496">rx-vlan-stag-hw-parse: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4498">rx-vlan-stag-filter: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4500">l2-fwd-offload: off [fixed]</div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4502">khushal@hermes:/var/log/suricata$ </div></font></span></div><div class="" style="font-family: Helvetica; font-size: 12px;" id="yui_3_16_0_1_1443713322019_4504"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4506"><br class="" id="yui_3_16_0_1_1443713322019_4508"></font></div><div class="" style="font-family: Helvetica; font-size: 12px;" id="yui_3_16_0_1_1443713322019_4510"><div class="" id="yui_3_16_0_1_1443713322019_4512"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4514">Currently, I am facing an issue with HTTP packet capture on eth2(FC Port).</font></div><div class="" id="yui_3_16_0_1_1443713322019_4516"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4518">Following are the details of this port :</font></div><div class="" id="yui_3_16_0_1_1443713322019_4520"><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4522"><font face="Times" class="" id="yui_3_16_0_1_1443713322019_4524"><i class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4526"> description: Ethernet interface</i></font></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4528"><font face="Times" class="" id="yui_3_16_0_1_1443713322019_4530"><i class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4532"> product: MT27500 Family [ConnectX-3]</i></font></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4534"><font face="Times" class="" id="yui_3_16_0_1_1443713322019_4536"><i class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4538"> vendor: Mellanox Technologies</i></font></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4540"><font face="Times" class="" id="yui_3_16_0_1_1443713322019_4542"><i class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4544"> physical id: 0</i></font></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4546"><font face="Times" class="" id="yui_3_16_0_1_1443713322019_4548"><i class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4550"> bus info: pci@0000:03:00.0</i></font></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4552"><font face="Times" class="" id="yui_3_16_0_1_1443713322019_4554"><i class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4556"> logical name: eth2</i></font></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4558"><font face="Times" class="" id="yui_3_16_0_1_1443713322019_4560"><i class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4562"> version: 00</i></font></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4564"><font face="Times" class="" id="yui_3_16_0_1_1443713322019_4566"><i class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4568"> serial: 00:02:c9:23:12:00</i></font></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4570"><font face="Times" class="" id="yui_3_16_0_1_1443713322019_4572"><i class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4574"> width: 64 bits</i></font></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4576"><font face="Times" class="" id="yui_3_16_0_1_1443713322019_4578"><i class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4580"> clock: 33MHz</i></font></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4582"><font face="Times" class="" id="yui_3_16_0_1_1443713322019_4584"><i class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4586"> capabilities: pm vpd msix pciexpress bus_master cap_list rom ethernet physical fibre</i></font></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4588"><font face="Times" class="" id="yui_3_16_0_1_1443713322019_4590"><i class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4592"> configuration: autonegotiation=off broadcast=yes driver=mlx4_en driverversion=2.2-1 (Feb 2014) duplex=full firmware=2.11.500 latency=0 link=yes multicast=yes port=fibre</i></font></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4594"><font face="Times" class="" id="yui_3_16_0_1_1443713322019_4596"><i class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4598"> resources: irq:24 memory:dff00000-dfffffff memory:dd800000-ddffffff memory:dfe00000-dfefffff</i></font></div></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4600"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4602"><br class="" id="yui_3_16_0_1_1443713322019_4604"></font></div><div class="" id="yui_3_16_0_1_1443713322019_4606"><div class="" id="yui_3_16_0_1_1443713322019_4608"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4610"><br class="" id="yui_3_16_0_1_1443713322019_4612"></font></div><div class="" id="yui_3_16_0_1_1443713322019_4614"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4616">Basically eth2(FC port) is not able to capture HTTP packets. It can capture all types of packets except for http and the http log is empty. </font></div><div class="" id="yui_3_16_0_1_1443713322019_4618"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4620"><br class="" id="yui_3_16_0_1_1443713322019_4622"></font></div><div class="" id="yui_3_16_0_1_1443713322019_4624"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4626">I was also facing the same issue on eth0(1G Copper port). After disabling offloading on eth0 and it started capturing HTTP packets. However, disabling offloading on eth2, does not help. </font></div><div class="" id="yui_3_16_0_1_1443713322019_4628"><font face="Times" class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4630"><br class="" id="yui_3_16_0_1_1443713322019_4632"></font></div><div class="" id="yui_3_16_0_1_1443713322019_4634"><font face="Times" class="" id="yui_3_16_0_1_1443713322019_4636"><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4638"><span class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4640">Suricata Version :</span></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4642"><span class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4644">This is Suricata version 2.0.8 RELEASE</span></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4646"><span class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4648"><br class="" id="yui_3_16_0_1_1443713322019_4650"></span></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4652"><span class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4654">Please find suricata.yaml attached.</span></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4656"><span class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4658"><br class="" id="yui_3_16_0_1_1443713322019_4660"></span></div><div class="" style="margin: 0px;" id="yui_3_16_0_1_1443713322019_4662"><span class="" style="font-size: 14px;" id="yui_3_16_0_1_1443713322019_4664">Thanks, Khushal</span></div><div class="" style="margin: 0px; font-size: 11px; font-family: Menlo;" id="yui_3_16_0_1_1443713322019_4666"><br class="" id="yui_3_16_0_1_1443713322019_4668"></div><div class="" style="margin: 0px; font-size: 11px; font-family: Menlo;" id="yui_3_16_0_1_1443713322019_4670"></div></font></div></div></div><div class="" id="<290601E5-AEA7-46CD-BC5D-E2D95E3A3BC2@usyd.edu.au>" title="suricata.yaml" role="img" style="font-family: Helvetica; font-size: 12px;" dir="ltr"><canvas class="" width="208" height="176" style="width: 104px; min-height: 88px;" id="yui_3_16_0_1_1443713322019_4673"></canvas></div></div></body></html>