p.pcap (5.6 MB)
The data of pcap package cannot be obtained by HTTP,
I can use Wireshark to view the complete HTTP data
I do not understand what you want.
Running ./src/suricata -r /Users/catena/Downloads/p.pcap -l log -c suricata.yaml -k none --disable-detection then jq 'select(.event_type=="http")' log/eve.json I can see lots of http events like
{
"timestamp": "2024-08-29T20:43:41.082502+0200",
"flow_id": 1290950546301405,
"pcap_cnt": 11337,
"event_type": "http",
"src_ip": "192.168.0.152",
"src_port": 47136,
"dest_ip": "192.168.3.104",
"dest_port": 2080,
"proto": "TCP",
"pkt_src": "wire/pcap",
"tx_id": 44,
"http": {
"hostname": "192.168.3.104",
"http_port": 2080,
"url": "/hello",
"http_user_agent": "Go-http-client/1.1",
"http_content_type": "application/json",
"http_method": "GET",
"protocol": "HTTP/1.1",
"status": 200,
"length": 41
}
}
I see that - k none is required to retrieve HTTP data