Packetbeat - Bug parsing http method


I've stumbled upon a weird bug with http protocol method parsing. Upon feeding the following PCAP file to the latest packetbeat one of the requests ends up having method looking like this: l_id\":\"f550e6c4-9303-4b70-a640-5c0e1d2fc0d3\"}}. The capture looks just fine in Wireshark. I've obtained the file by capturing http traffic on port 9200 with the following basic setup:

I tried looking at the code and it seems like that the problem is somewhere in the TCP layer code as parsing works as intended establishing that the Request-Line of the request is: l_id\":\"f550e6c4-9303-4b70-a640-5c0e1d2fc0d3\"}}\nPOST /_bulk HTTP/1.1 which is as far as I can see does not violate the http specification.

You can easily generate your own PCAP file like this by following the following steps:

  1. Copy both docker-compose.yml and packetbeat.yml on your machine
  2. Run docker-compose up
  3. Run sudo tcpdump -i any -s 1514 'tcp port 9200' -w path_to_pcap.pcap. I've chosen snaplen to be 1514 to match packetbeat config
  4. Feed that to packetbeat