[Oisf-users] Suricata : http.log is empty

khushal kaviraj khushal08 at yahoo.com
Thu Oct 1 21:46:08 UTC 2015

Sending again as the first mail was a bit obfuscated due to formatting issues.  
Hi Victor,
I am using Suricata(and ELK) to capture and analyze network packets. 

I facing an issue with http packet capture. My http.log(and eve.json) is empty. I have verified with wireshark capture that http packets can be seen from the host. It’s just that suricata is not able to populate http.log.I was wondering, if you could give me some valuable inputs to troubleshoot this issue??
Physical setup 
1. Packets are duplicated and sent to the Ubuntu server with suricata. A splitter, which sits between the border router and ISP(Similar to SPAN), sends the duplicate traffic to to our IDS server.
2. We are using a SuperMicro Xenon A+ 1042G-TF Server. A 10G FC port(eth2) is used for packet capture.
3. All offloading is disabled as following 
khushal at hermes:/var/log/suricata$ sudo ethtool -k eth2Features for eth2rx-checksumming offtx-checksumming off tx-checksum-ipv4 off tx-checksum-ip-generic off [fixed] tx-checksum-ipv6 off tx-checksum-fcoe-crc off [fixed] tx-checksum-sctp off [fixed]scatter-gather off tx-scatter-gather off tx-scatter-gather-fraglist off [fixed]tcp-segmentation-offload off tx-tcp-segmentation off tx-tcp-ecn-segmentation off [fixed] tx-tcp6-segmentation offudp-fragmentation-offload off [fixed]generic-segmentation-offload offgeneric-receive-offload offlarge-receive-offload off [fixed]rx-vlan-offload on [fixed]tx-vlan-offload on [fixed]ntuple-filters off [fixed]receive-hashing offhighdma: on [fixed]rx-vlan-filter: on [fixed]vlan-challenged off [fixed]tx-lockless off [fixed]netns-local off [fixed]tx-gso-robust off [fixed]tx-fcoe-segmentation off [fixed]tx-gre-segmentation off [fixed]tx-ipip-segmentation off [fixed]tx-sit-segmentation off [fixed]tx-udp_tnl-segmentation off [fixed]tx-mpls-segmentation off [fixed]fcoe-mtu off [fixed]tx-nocache-copy onloopback offrx-fcs off [fixed]rx-all off [fixed]tx-vlan-stag-hw-insert off [fixed]rx-vlan-stag-hw-parse off [fixed]rx-vlan-stag-filter off [fixed]l2-fwd-offload off [fixed]khushal at hermes /var/log/suricata$ 
Currently, I am facing an issue with HTTP packet capture on eth2(FC Port).
Following are the details of this port        description: Ethernet interface       product: MT27500 Family [ConnectX-3]       vendor: Mellanox Technologies       physical id: 0       bus info: pci at 0000:03:00.0       logical name: eth2       version: 00       serial: 00:02:c9:23:12:00       width: 64 bits       clock: 33MHz       capabilities: pm vpd msix pciexpress bus_master cap_list rom ethernet physical fibre       configuration: autonegotiation=off broadcast=yes driver=mlx4_en driverversion=2.2-1 (Feb 2014) duplex=full firmware=2.11.500 latency=0 link=yes multicast=yes port=fibre       resources: irq:24 memory:dff00000-dfffffff memory:dd800000-ddffffff memory:dfe00000-dfefffff

Basically eth2(FC port) is not able to capture HTTP packets. It can capture all types of packets except for http and the http log is empty. 
I was also facing the same issue on eth0(1G Copper port). After disabling offloading on eth0 and it started capturing HTTP packets. However, disabling offloading on eth2, does not help. 
Suricata Version :This is Suricata version 2.0.8 RELEASE
Please find suricata.yaml attached.
Thanks, Khushal

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151001/740fad0e/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.yaml
Type: application/octet-stream
Size: 50121 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151001/740fad0e/attachment-0002.obj>

More information about the Oisf-users mailing list