Catching HTTP traffic on loopback

  • Suricata version: 7.0.3
  • Operating system and/or Linux distribution: MacOS
  • How you installed Suricata (from source, packages, something else): Got from brew

Hello. I am trying to catch HTTP traffic from my local server using Suricata.
I use this rule: alert http any any → any any (http.method; content: “GET”; msg:“http from lo0”; sid:5000000;)
The command I run: suricata -c suricata.yaml -i lo0 --pcap=lo0
However there are no packets in fast.log or log.pcap. The rule definitely works if I use my ethernet interface, but for loopback it doesn’t work.

How are you initiating the traffic across the lo0 interface (via curl/wget/etc)?

Are you able to see the traffic in wireshark or tcpdump if you run those in parallel to suricata?


I start my server and send get request via form. In Wireshark I can see all the packets on lo0.

If I write rules for tcp, I can see all the packets in fast.log. But for http it doesn’t work.

Are you able to share the pcap?

log.pcap (6.0 KB)

Did you try with -k none to ignore checksums ?

1 Like

Sorry for late answer.
Yes, now it works. Thank you!