PacketBeat fails to extract HTTP from simple PCAP

theetete · October 13, 2017, 9:51am

Hi,
I got trouble in extracting HTTP from my tcpdumped file
All I get is one tcp stream, but if I check with Wireshark I got full HTTP streams.

2017-10-13T09:40:52Z INFO packetbeat start running.
2017-10-13T09:40:52Z DBG  start flows worker
2017-10-13T09:40:52Z DBG  Waiting for the sniffer to finish
2017-10-13T09:40:52Z DBG  Packet number: 1
2017-10-13T09:40:52Z DBG  decode packet data
2017-10-13T09:40:52Z DBG  lock flows
2017-10-13T09:40:52Z DBG  flowid: add eth
2017-10-13T09:40:52Z DBG  worker wait start(2017-10-13 09:41:00 +0000 UTC): 7.639828107s
2017-10-13T09:40:52Z DBG  IPv4 packet
2017-10-13T09:40:52Z DBG  flowid: add ipv4
2017-10-13T09:40:52Z DBG  TCP packet
2017-10-13T09:40:52Z DBG  flowid: add tcp
2017-10-13T09:40:52Z DBG  flow id flags: 1041
2017-10-13T09:40:52Z DBG  get flow
2017-10-13T09:40:52Z DBG  lookup flow: {1041 0 255 255 255 12 255 255 255 255 255 20 255 1 0 1} => [144 177 28 86 238 13 248 202 184 68 225 84 10 1 1 115 10 1 5 37 80 0 128  99]
2017-10-13T09:40:52Z DBG  create new flow
2017-10-13T09:40:52Z DBG  unlock flows
2017-10-13T09:40:52Z DBG  Packet number: 2
2017-10-13T09:40:52Z DBG  decode packet data
2017-10-13T09:40:52Z DBG  lock flows
2017-10-13T09:40:52Z DBG  flowid: add eth
2017-10-13T09:40:52Z DBG  IPv4 packet
2017-10-13T09:40:52Z DBG  flowid: add ipv4
2017-10-13T09:40:52Z DBG  TCP packet
2017-10-13T09:40:52Z DBG  flowid: add tcp
2017-10-13T09:40:52Z DBG  flow id flags: 1041
2017-10-13T09:40:52Z DBG  get flow
2017-10-13T09:40:52Z DBG  lookup flow: {1041 0 255 255 255 12 255 255 255 255 255 20 255 1 0 1} => [144 177 28 86 238 13 248 202 184 68 225 84 10 1 1 115 10 1 5 37 80 0 128  99]
2017-10-13T09:40:52Z DBG  unlock flows
2017-10-13T09:40:52Z DBG  Packet number: 3
2017-10-13T09:40:52Z DBG  decode packet data
2017-10-13T09:40:52Z DBG  lock flows
2017-10-13T09:40:52Z DBG  flowid: add eth
2017-10-13T09:40:52Z DBG  IPv4 packet
2017-10-13T09:40:52Z DBG  flowid: add ipv4
2017-10-13T09:40:52Z DBG  TCP packet
2017-10-13T09:40:52Z DBG  flowid: add tcp
2017-10-13T09:40:52Z DBG  flow id flags: 1041
2017-10-13T09:40:52Z DBG  get flow
2017-10-13T09:40:52Z DBG  lookup flow: {1041 0 255 255 255 12 255 255 255 255 255 20 255 1 0 1} => [144 177 28 86 238 13 248 202 184 68 225 84 10 1 1 115 10 1 5 37 80 0 128  99]
2017-10-13T09:40:52Z DBG  unlock flows
2017-10-13T09:40:52Z DBG  Packet number: 4
2017-10-13T09:40:52Z DBG  decode packet data
2017-10-13T09:40:52Z DBG  lock flows
2017-10-13T09:40:52Z DBG  flowid: add eth
2017-10-13T09:40:52Z DBG  IPv4 packet
2017-10-13T09:40:52Z DBG  flowid: add ipv4
2017-10-13T09:40:52Z DBG  TCP packet
2017-10-13T09:40:52Z DBG  flowid: add tcp
2017-10-13T09:40:52Z DBG  flow id flags: 1041
2017-10-13T09:40:52Z DBG  get flow
2017-10-13T09:40:52Z DBG  lookup flow: {1041 0 255 255 255 12 255 255 255 255 255 20 255 1 0 1} => [144 177 28 86 238 13 248 202 184 68 225 84 10 1 1 115 10 1 5 37 80 0 128  99]
2017-10-13T09:40:52Z DBG  unlock flows
2017-10-13T09:40:52Z DBG  Packet number: 5
2017-10-13T09:40:52Z DBG  decode packet data
2017-10-13T09:40:52Z DBG  lock flows
2017-10-13T09:40:52Z DBG  flowid: add eth
2017-10-13T09:40:52Z DBG  IPv4 packet
2017-10-13T09:40:52Z DBG  flowid: add ipv4
2017-10-13T09:40:52Z DBG  TCP packet
2017-10-13T09:40:52Z DBG  flowid: add tcp
2017-10-13T09:40:52Z DBG  flow id flags: 1041
2017-10-13T09:40:52Z DBG  get flow
2017-10-13T09:40:52Z DBG  lookup flow: {1041 0 255 255 255 12 255 255 255 255 255 20 255 1 0 1} => [144 177 28 86 238 13 248 202 184 68 225 84 10 1 1 115 10 1 5 37 80 0 128  99]
2017-10-13T09:40:52Z DBG  unlock flows

[...]

thanks for your help

steffens · October 13, 2017, 1:30pm

How do you run packetbeat?

Are you looking at flows or are you refering to HTTP transactions from the HTTP module? Seems like you are more interested in the HTTP transactions.

HTTP is on top of TCP. The flows module only looks at src/dst + IP/Port address pairs + times out the flow if no more packets are seen in a TCP connection. Even TCP Reconnects with same ports might be counted into the same flow. There can be multiple HTTP transactions in one TCP connection.

theetete · October 13, 2017, 2:40pm

Yes I had HTTP configured but found out it works better with specifying a port number in yml
ports: [80]
is there any way to catch all HTTP transaction regardless the port number, especially when reading from PCAP file ?

Now I got some results now but only halve of my requests are effectively stored in ES...
I expect 4 HTTP req/resp documents but only got 2 ...

2017-10-13T14:35:21Z INFO Total non-zero values: libbeat.es.call_count.PublishEvents=2 libbeat.es.publish.read_bytes=1076 libbeat.es.publish.write_bytes=3065 libbeat.es.published_and_acked_events=2 libbeat.publisher.messages_in_worker_queues=8 libbeat.publisher.published_events=4

theetete · October 13, 2017, 3:18pm

nvm, I fixed it with -waitstop 10

Samuel_Lima1 · November 7, 2017, 3:21pm

Hi,
How did you solve this problem?
Where did you set up -waitstop 10 ?
I didnt find this property in yml.

theetete · November 7, 2017, 3:42pm

Hi,
It's a command line option not a yml config

system · December 5, 2017, 3:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Failed to understand HTTP response Beats packetbeat	2	844	February 22, 2018
Packetbeat - Bug parsing http method Beats beats-development , packetbeat	1	533	October 25, 2020
Packetbeat is not sniffing the packets from a SPAN port Beats packetbeat	3	1894	July 5, 2017
Unable to get mysql performance in packetbeat Beats packetbeat	24	5194	July 5, 2017
Debug Unmatched Responses and tcp dropped because of gaps Beats packetbeat	4	987	November 10, 2018

PacketBeat fails to extract HTTP from simple PCAP

Related topics