[Oisf-users] Suricata : http.log is empty

khushal kaviraj khushal08 at yahoo.com
Thu Oct 1 15:39:37 UTC 2015 

Hi Victor,
I am using Suricata(and ELK) to capture and analyze network packets. 

I facing an issue with http packet capture. My http.log(and eve.json) is empty. I have verified with wireshark capture that http packets can be seen from the host. It’s just that suricata is not able to populate http.log.I was wondering, if you could give me some valuable inputs to troubleshoot this issue??
Physical setup : - Packets are duplicated and sent to the Ubuntu server with suricata. A splitter, which sits between the border router and ISP(Similar to SPAN), sends the duplicate traffic to to our IDS server.- We are using a SuperMicro Xenon A+ 1042G-TF Server. A 10G FC port(eth2) is used for packet capture.- All offloading is disabled as following :khushal at hermes:/var/log/suricata$ sudo ethtool -k eth2Features for eth2:rx-checksumming: offtx-checksumming: off tx-checksum-ipv4: off tx-checksum-ip-generic: off [fixed] tx-checksum-ipv6: off tx-checksum-fcoe-crc: off [fixed] tx-checksum-sctp: off [fixed]scatter-gather: off tx-scatter-gather: off tx-scatter-gather-fraglist: off [fixed]tcp-segmentation-offload: off tx-tcp-segmentation: off tx-tcp-ecn-segmentation: off [fixed] tx-tcp6-segmentation: offudp-fragmentation-offload: off [fixed]generic-segmentation-offload: offgeneric-receive-offload: offlarge-receive-offload: off [fixed]rx-vlan-offload: on [fixed]tx-vlan-offload: on [fixed]ntuple-filters: off [fixed]receive-hashing: offhighdma: on [fixed]rx-vlan-filter: on [fixed]vlan-challenged: off [fixed]tx-lockless: off [fixed]netns-local: off [fixed]tx-gso-robust: off [fixed]tx-fcoe-segmentation: off [fixed]tx-gre-segmentation: off [fixed]tx-ipip-segmentation: off [fixed]tx-sit-segmentation: off [fixed]tx-udp_tnl-segmentation: off [fixed]tx-mpls-segmentation: off [fixed]fcoe-mtu: off [fixed]tx-nocache-copy: onloopback: offrx-fcs: off [fixed]rx-all: off [fixed]tx-vlan-stag-hw-insert: off [fixed]rx-vlan-stag-hw-parse: off [fixed]rx-vlan-stag-filter: off [fixed]l2-fwd-offload: off [fixed]khushal at hermes:/var/log/suricata$ 
Currently, I am facing an issue with HTTP packet capture on eth2(FC Port).Following are the details of this port :       description: Ethernet interface       product: MT27500 Family [ConnectX-3]       vendor: Mellanox Technologies       physical id: 0       bus info: pci at 0000:03:00.0       logical name: eth2       version: 00       serial: 00:02:c9:23:12:00       width: 64 bits       clock: 33MHz       capabilities: pm vpd msix pciexpress bus_master cap_list rom ethernet physical fibre       configuration: autonegotiation=off broadcast=yes driver=mlx4_en driverversion=2.2-1 (Feb 2014) duplex=full firmware=2.11.500 latency=0 link=yes multicast=yes port=fibre       resources: irq:24 memory:dff00000-dfffffff memory:dd800000-ddffffff memory:dfe00000-dfefffff

Basically eth2(FC port) is not able to capture HTTP packets. It can capture all types of packets except for http and the http log is empty. 
I was also facing the same issue on eth0(1G Copper port). After disabling offloading on eth0 and it started capturing HTTP packets. However, disabling offloading on eth2, does not help. 
Suricata Version :This is Suricata version 2.0.8 RELEASE
Please find suricata.yaml attached.
Thanks, Khushal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151001/0cd726b8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.yaml
Type: application/octet-stream
Size: 50121 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151001/0cd726b8/attachment-0001.obj>

More information about the Oisf-users mailing list