Project

General

Profile

Actions

Support #1832

closed

missed http log

Added by Changbae Jeon over 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

I installed and tested suricata 3.1.

I can't find some http resquest in http log.
tcpdump

15:22:38.981121 IP 255.53.203.105.59484 > 123.121.166.201.http: Flags [P.], seq 1:503, ack 1, win 256, length 502: HTTP: GET /~sgtatham/putty/0.67/x86/puttytel.exe HTTP/1.1
15:22:39.028003 IP 255.53.203.105.59485 > 123.121.166.201.http: Flags [P.], seq 1:500, ack 1, win 256, length 499: HTTP: GET /~sgtatham/putty/0.67/x86/putty.exe HTTP/1.1
15:22:39.231393 IP 255.53.203.105.59486 > 123.121.166.201.http: Flags [P.], seq 1:499, ack 1, win 256, length 498: HTTP: GET /~sgtatham/putty/0.67/x86/pscp.exe HTTP/1.1
15:22:39.300317 IP 255.53.203.105.59487 > 123.121.166.201.http: Flags [P.], seq 1:500, ack 1, win 256, length 499: HTTP: GET /~sgtatham/putty/0.67/x86/psftp.exe HTTP/1.1
15:22:39.859723 IP 255.53.203.105.59488 > 123.121.166.201.http: Flags [P.], seq 1:500, ack 1, win 256, length 499: HTTP: GET /~sgtatham/putty/0.67/x86/plink.exe HTTP/1.1
15:22:40.465308 IP 255.53.203.105.59489 > 123.121.166.201.http: Flags [P.], seq 1:502, ack 1, win 256, length 501: HTTP: GET /~sgtatham/putty/0.67/x86/pageant.exe HTTP/1.1
15:22:40.993240 IP 255.53.203.105.59484 > 123.121.166.201.http: Flags [P.], seq 503:1005, ack 335053, win 10292, length 502: HTTP: GET /~sgtatham/putty/0.67/x86/puttygen.exe HTTP/1.1
15:22:49.389869 IP 255.53.203.105.59490 > 179-92-239-231.user.vivozap.com.br.http: Flags [P.], seq 1:502, ack 1, win 256, length 501: HTTP: GET /~simon/putty-snapshots/x86/putty.exe HTTP/1.1
15:22:49.464174 IP 255.53.203.105.59491 > 179-92-239-231.user.vivozap.com.br.http: Flags [P.], seq 1:505, ack 1, win 256, length 504: HTTP: GET /~simon/putty-snapshots/x86/puttytel.exe HTTP/1.1
15:22:50.528012 IP 255.53.203.105.59492 > 179-92-239-231.user.vivozap.com.br.http: Flags [P.], seq 1:501, ack 1, win 256, length 500: HTTP: GET /~simon/putty-snapshots/x86/pscp.exe HTTP/1.1
15:22:50.724497 IP 255.53.203.105.59493 > 179-92-239-231.user.vivozap.com.br.http: Flags [P.], seq 1:502, ack 1, win 256, length 501: HTTP: GET /~simon/putty-snapshots/x86/psftp.exe HTTP/1.1
15:22:51.277676 IP 255.53.203.105.59494 > 179-92-239-231.user.vivozap.com.br.http: Flags [P.], seq 1:502, ack 1, win 256, length 501: HTTP: GET /~simon/putty-snapshots/x86/plink.exe HTTP/1.1
15:22:51.789606 IP 255.53.203.105.59495 > 179-92-239-231.user.vivozap.com.br.http: Flags [P.], seq 1:504, ack 1, win 256, length 503: HTTP: GET /~simon/putty-snapshots/x86/pageant.exe HTTP/1.1
15:22:53.290584 IP 255.53.203.105.59491 > 179-92-239-231.user.vivozap.com.br.http: Flags [P.], seq 505:1009, ack 342199, win 967, length 504: HTTP: GET /~simon/putty-snapshots/x86/puttygen.exe HTTP/1.1

http_log

06/29/2016-15:22:39.268559 the.earth.li [**] /~sgtatham/putty/0.67/x86/puttytel.exe [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 [**] 255.53.203.105:59484 -> 123.121.166.201:80
06/29/2016-15:22:39.879593 the.earth.li [**] /~sgtatham/putty/0.67/x86/psftp.exe [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 [**] 255.53.203.105:59487 -> 123.121.166.201:80
06/29/2016-15:22:39.514533 the.earth.li [**] /~sgtatham/putty/0.67/x86/pscp.exe [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 [**] 255.53.203.105:59486 -> 123.121.166.201:80
06/29/2016-15:22:40.146641 the.earth.li [**] /~sgtatham/putty/0.67/x86/plink.exe [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 [**] 255.53.203.105:59488 -> 123.121.166.201:80
06/29/2016-15:22:39.611486 the.earth.li [**] /~sgtatham/putty/0.67/x86/putty.exe [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 [**] 255.53.203.105:59485 -> 123.121.166.201:80
06/29/2016-15:22:41.274641 the.earth.li [**] /~sgtatham/putty/0.67/x86/puttygen.exe [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 [**] 255.53.203.105:59484 -> 123.121.166.201:80
06/29/2016-15:22:49.700064 tartarus.org [**] /~simon/putty-snapshots/x86/putty.exe [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 [**] 255.53.203.105:59490 -> 179.92.239.231:80
06/29/2016-15:22:51.057104 tartarus.org [**] /~simon/putty-snapshots/x86/psftp.exe [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 [**] 255.53.203.105:59493 -> 179.92.239.231:80
06/29/2016-15:22:51.564961 tartarus.org [**] /~simon/putty-snapshots/x86/plink.exe [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 [**] 255.53.203.105:59494 -> 179.92.239.231:80
06/29/2016-15:22:52.104125 tartarus.org [**] /~simon/putty-snapshots/x86/pageant.exe [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 [**] 255.53.203.105:59495 -> 179.92.239.231:80
06/29/2016-15:22:50.823167 tartarus.org [**] /~simon/putty-snapshots/x86/pscp.exe [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 [**] 255.53.203.105:59492 -> 179.92.239.231:80
06/29/2016-15:22:40.750647 the.earth.li [**] /~sgtatham/putty/0.67/x86/pageant.exe [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 [**] 255.53.203.105:59489 -> 123.121.166.201:80
06/29/2016-15:22:50.066071 tartarus.org [**] /~simon/putty-snapshots/x86/puttytel.exe [**] Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36 [**] 255.53.203.105:59491 -> 179.92.239.231:80
<pre/>

So I capture that traffic and attech this post.


Files

log_test__.pcap (4.44 MB) log_test__.pcap Changbae Jeon, 06/29/2016 01:47 AM
Actions #1

Updated by Victor Julien over 7 years ago

  • Tracker changed from Bug to Support

The issue is that one of the streams is experiencing packet loss. Stream 10 has missing data which leads to a stream gap.

Actions #2

Updated by Andreas Herz over 7 years ago

  • Assignee set to Anonymous
  • Target version set to TBD
Actions #3

Updated by Andreas Herz almost 7 years ago

Closed since no response after 8months, reopen if necessary, thanks!

Actions #4

Updated by Andreas Herz almost 7 years ago

  • Status changed from New to Closed
Actions #5

Updated by Victor Julien over 6 years ago

  • Target version deleted (TBD)
Actions

Also available in: Atom PDF