Hi,
I've stumbled upon a weird bug with http protocol method parsing. Upon feeding the following PCAP file https://drive.google.com/file/d/11DN4ZXbWE-W83VdwSRfJA04jBbOLMzs3/view?usp=sharing to the latest packetbeat one of the requests ends up having method looking like this: l_id\":\"f550e6c4-9303-4b70-a640-5c0e1d2fc0d3\"}}
. The capture looks just fine in Wireshark. I've obtained the file by capturing http traffic on port 9200 with the following basic setup: https://gist.github.com/dmsergeev/add4770be0475e4bc2ea9ec4b37b4edf
I tried looking at the code and it seems like that the problem is somewhere in the TCP layer code as parsing works as intended establishing that the Request-Line
of the request is: l_id\":\"f550e6c4-9303-4b70-a640-5c0e1d2fc0d3\"}}\nPOST /_bulk HTTP/1.1
which is as far as I can see does not violate the http specification.
You can easily generate your own PCAP file like this by following the following steps:
- Copy both
docker-compose.yml
andpacketbeat.yml
on your machine - Run
docker-compose up
- Run
sudo tcpdump -i any -s 1514 'tcp port 9200' -w path_to_pcap.pcap
. I've chosen snaplen to be 1514 to match packetbeat config - Feed that to packetbeat