mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 16:48:19 +00:00
536686f02d
The first pcap only contained packets from the originator, not the responder. What stands out here is that the Linux kernel doesn't seem to use a symmetric flow hash for the tunneled connection, resulting in a total of four tunnel connections for the two inner connections. Sigh.
11 lines
1,004 B
Text
11 lines
1,004 B
Text
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
|
#separator \x09
|
|
#set_separator ,
|
|
#empty_field (empty)
|
|
#unset_field -
|
|
#path http
|
|
#open XXXX-XX-XX-XX-XX-XX
|
|
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p trans_depth method host uri referrer version user_agent origin request_body_len response_body_len status_code status_msg info_code info_msg tags username password proxied orig_fuids orig_filenames orig_mime_types resp_fuids resp_filenames resp_mime_types
|
|
#types time string addr port addr port count string string string string string string string count count count string count string set[enum] string string set[string] vector[string] vector[string] vector[string] vector[string] vector[string] vector[string]
|
|
XXXXXXXXXX.XXXXXX CmES5u32sYpV7JYN 172.17.0.2 36518 192.0.78.150 80 1 GET zeek.org / - 1.1 curl/7.87.0 - 0 162 301 Moved Permanently - - (empty) - - - - - - FUNuKw3T9FybXoo6P6 - text/html
|
|
#close XXXX-XX-XX-XX-XX-XX
|