Packetbeat - Bug parsing http method

Hi,

I've stumbled upon a weird bug with http protocol method parsing. Upon feeding the following PCAP file https://drive.google.com/file/d/11DN4ZXbWE-W83VdwSRfJA04jBbOLMzs3/view?usp=sharing to the latest packetbeat one of the requests ends up having method looking like this: l_id\":\"f550e6c4-9303-4b70-a640-5c0e1d2fc0d3\"}}. The capture looks just fine in Wireshark. I've obtained the file by capturing http traffic on port 9200 with the following basic setup: https://gist.github.com/dmsergeev/add4770be0475e4bc2ea9ec4b37b4edf

I tried looking at the code and it seems like that the problem is somewhere in the TCP layer code as parsing works as intended establishing that the Request-Line of the request is: l_id\":\"f550e6c4-9303-4b70-a640-5c0e1d2fc0d3\"}}\nPOST /_bulk HTTP/1.1 which is as far as I can see does not violate the http specification.

You can easily generate your own PCAP file like this by following the following steps:

  1. Copy both docker-compose.yml and packetbeat.yml on your machine
  2. Run docker-compose up
  3. Run sudo tcpdump -i any -s 1514 'tcp port 9200' -w path_to_pcap.pcap. I've chosen snaplen to be 1514 to match packetbeat config
  4. Feed that to packetbeat

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.