Some MAC addresses are missing in the HTTP logs

Naishuang · February 19, 2025, 12:32am

Suricata version：7.0.2
Operating system and/or Linux distribution：centos7

I played back the http packets with “suricata - r” and found that some of the logs were missing mac addresses.

I found during debugging that the code entered this section.Does anyone know what conditions will cause x not to be NULL?

pcap：http.pcap (2.7 KB)

Philippe_Antoine · February 25, 2025, 7:51am

Thanks for this report.

It looks like the feature (Mac address logging) is incomplete indeed

In your pcap, it looks like this code is reached at 2 places : when doing the upgrade from HTTP1 to HTTP2, and at timeout

jq 'select(.ether == null)' log/eve.json

Philippe_Antoine · February 25, 2025, 7:53am

Topic		Replies	Views
Suricata http traffic parse exception in mirror traffic Help	5	930	January 25, 2022
Suricata parse http error, lots of /libhtp::request_uri_not_seen and http request info lose Help suricata	3	553	August 31, 2023
Suricata 7.0.6 The data of pcap package cannot be obtained by HTTP,	2	27	October 9, 2024
Http_method parse issue from mirror packet Help suricata	7	39	November 5, 2024
Some log events have empty payload and payload_printable Help	1	1249	July 27, 2021