Project

General

Profile

Actions
Copy link

Bug #2907

closed

Sometimes TLS Logs are missing

Added by Darren pierre over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Mats Klepsland
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

I'm currently testing Suricata with some pcaps that are known to have TLS connection(files are attached to this post) .But Suricata only logs the tls connection of a small subset of theses pcaps.

Files

pcapsWithJA3.zip.zip (37.8 KB) pcapsWithJA3.zip.zip Darren pierre, 03/26/2019 06:28 PM
Actions
Copy link
 #1

Updated by Mats Klepsland over 5 years ago

  • Assignee set to Mats Klepsland

I took a look at the pcap's and it seems that most of them have packets with invalid checksums. They might have been captured with checksum offloading turned on, or something else that messes up the checksums. This is quite a common problem when processing pcap files with Suricata.

Because of this, I usually use '-k none' when reading pcap files, especially when reading pcap files captured by other people. This makes Suricata disable the checksum checking.

Let me know if this solves your problem :)

Actions
Copy link
 #2

Updated by Darren pierre over 5 years ago

yes it did solve the promblem

Actions
Copy link
 #3

Updated by Mats Klepsland over 5 years ago

  • Status changed from New to Resolved

I'm glad to hear that. Thanks for letting me know that it solved your problem :)

Actions
Copy link
 #4

Updated by Mats Klepsland over 5 years ago

  • Status changed from Resolved to Closed
Actions
Copy link

Also available in: Atom PDF