Use suricata to replay pcap file without any output

I want to just utilize suricata to act as an http request/response parser. If the input is pcap files, how should I configure to have the http streams in the pcap file been parsed and give an output of http information(via eve.json or lua script)?

BTY, I’ve set the “app-layer”>“protocols”>“http”>“enabled” in suricata.yaml to “yes”

If you’re only interested in creating logs with information from the HTTP content,
make sure that the outputs section has http logging enabled – it’s enabled by default.

See 15.4. Custom http logging — Suricata 6.0.0 documentation

app-layer.protocols.http.enabled enables Suricata’s HTTP parser (also enabled by default).

Thanks, Jeff.
Yes I’ve enabled http logging(although I want to do some specific output with lua script, and the lua script is working if I’m not reading pcap file but listening to the NIC)
Following is the http.log section of my suricata.yaml

  # a line based log of HTTP requests (no alerts)
  - http-log:
      enabled: yes
      filename: http.log
      append: yes
      #extended: yes     # enable this for extended logging information
      #custom: yes       # enable the custom logging format (defined by customformat)
      #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P"
      #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'

Updating this issue, the problem is confirmed to be the pcap file I was given filtered out all packets except those including http content. Maybe the tcp handshake packets are also filtered out so that I guess suricata is not able to follow the stream and get http content.

This issue can be closed. Sorry for wasting your time.

1 Like

I’m glad it got sorted out. You didn’t waste anybody’s time – we’re here to help.

2 Likes