Tx_id in http flow

bvaladier · November 29, 2022, 2:55pm

Hi there,

I can’t find anywhere in suricata documentation how the tx_id value is being incremented, with regards to http flow.
Can anybody tell me how it actually works ?
Thanks very much in advance

Benoit

vjulien · November 29, 2022, 6:39pm

A transaction is a request response pair. Each gets it’s own id, starting at 0. So if the tx_id is 10, it means it’s the 11th (starting at 0) request response pair.

bvaladier · November 30, 2022, 8:12am

Hi Victor,
Thank you for this answer which is crystal clear.
If multiple files are being transmitted within the same flow_id, is this tx_id being incremented for each of them ?

vjulien · November 30, 2022, 10:32am

Usually, but not always. In case of a multipart body we may have multiple files in a single transaction (request/response pair).

bvaladier · December 1, 2022, 8:23am

thanks again Victor for your reply

Topic		Replies	Views
Suricata flow parsing see a lot "libhtp:request_uri_not_seen" Help community	2	897	January 18, 2022
Flow_ID_Duplicated Help	1	453	August 25, 2022
The flow id got changed even though I keep send the same packet Help	2	695	April 27, 2022
Help Needed ! Suricata drops - ,"metadata":{"flowints":{"http.anomaly.count":1}}, Rules ips , rules	5	280	October 7, 2023
Strange behavior with pass and drop rule Help	14	1338	July 9, 2021

Tx_id in http flow

Related topics