Suricata 7.0.6 The data of pcap package cannot be obtained by HTTP,

p.pcap (5.6 MB)

The data of pcap package cannot be obtained by HTTP,

I can use Wireshark to view the complete HTTP data

I do not understand what you want.

Running ./src/suricata -r /Users/catena/Downloads/p.pcap -l log -c suricata.yaml -k none --disable-detection then jq 'select(.event_type=="http")' log/eve.json I can see lots of http events like

{
  "timestamp": "2024-08-29T20:43:41.082502+0200",
  "flow_id": 1290950546301405,
  "pcap_cnt": 11337,
  "event_type": "http",
  "src_ip": "192.168.0.152",
  "src_port": 47136,
  "dest_ip": "192.168.3.104",
  "dest_port": 2080,
  "proto": "TCP",
  "pkt_src": "wire/pcap",
  "tx_id": 44,
  "http": {
    "hostname": "192.168.3.104",
    "http_port": 2080,
    "url": "/hello",
    "http_user_agent": "Go-http-client/1.1",
    "http_content_type": "application/json",
    "http_method": "GET",
    "protocol": "HTTP/1.1",
    "status": 200,
    "length": 41
  }
}

I see that - k none is required to retrieve HTTP data