[Oisf-users] Truncated files

Peter Manev petermanev at gmail.com
Mon Oct 15 06:30:58 UTC 2018

On Fri, Oct 12, 2018 at 10:41 AM Piquenot, Gaetan
<gaetan.piquenot at airbus.com> wrote:
> > Still things can be different.
> > Is the NIC set up and config (ethtool -k ethxxx ) exactly the same for
> > both VMs ?
> We use vmxnet3 for our interface. Both output are the same everything is off except highdma and rx-vlan-filter.

>From what i can see - even Wireshark does not report HTTP file present
(This is the way i checked: File->Export Objects->HTTP..) and reports
"unseen segments". Suricata reports reassembly gap as well as 2 alerts
(archive over http but the files are truncated in flight).

Can you extract the actual file captured by Moloch(MAL140_7ZIP) and
compare the sha256 of the extracted/downloaded file and the one that
is served by the http server - would they match?

Thank you

Peter Manev

More information about the Oisf-users mailing list