Skip to content

Commit

Permalink
[Packetbeat] HTTP: Improve support for 100-continue elastic#15830 (el…
Browse files Browse the repository at this point in the history
…astic#19349)

* refactor(packet beat): Improve support for 100-continue

* test(packetbeat): 100-continue only generate one event without error

* test(packetbeat): 100-continue only generate one event without error

* Update packetbeat/protos/http/http.go

Co-authored-by: Adrian Serrano <adrisr83@gmail.com>

* delete unused string

* Fix format issue

Co-authored-by: Marc Guasch <marc.guasch@elastic.co>
Co-authored-by: Adrian Serrano <adrisr83@gmail.com>
(cherry picked from commit 41bc8c6)
  • Loading branch information
OhBonsai authored and marc-gr committed Jul 27, 2020
1 parent 462e79d commit ce39f95
Show file tree
Hide file tree
Showing 4 changed files with 40 additions and 0 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -684,6 +684,8 @@ field. You can revert this change by configuring tags for the module and omittin
*Packetbeat*

- Add ECS fields for x509 certs, event categorization, and related IP info. {pull}19167[19167]
- Add 100-continue support {issue}15830[15830] {pull}19349[19349]


*Functionbeat*

Expand Down
6 changes: 6 additions & 0 deletions packetbeat/protos/http/http.go
Original file line number Diff line number Diff line change
Expand Up @@ -457,6 +457,12 @@ func (http *httpPlugin) flushResponses(conn *httpConnectionData) {
unmatchedResponses.Add(1)
resp := conn.responses.pop()
debugf("Response from unknown transaction: %s. Reporting error.", resp.tcpTuple)

if resp.statusCode == 100 {
debugf("Drop first 100-continue response")
return
}

event := http.newTransaction(nil, resp)
http.publishTransaction(event)
}
Expand Down
Binary file not shown.
32 changes: 32 additions & 0 deletions packetbeat/tests/system/test_0070_http_100_continue.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
from packetbeat import BaseTest

"""
Tests for checking expect 100-continue only generate 1 event
"""


class Test(BaseTest):

def test_http_100_continue(self):
"""
Should only generate one event
"""
self.render_config_template(
iface_device="lo0",
http_ports=["9200"],
http_send_all_headers=True
)
self.run_packetbeat(pcap="http_100_continue.pcap")
objs = self.read_output_json()

assert len(objs) == 1
o = objs[0]

assert o["type"] == "http"
assert "request" in o["http"]
assert "headers" in o["http"]["request"]
assert o["http"]["request"]["headers"]["expect"] == "100-continue"

assert "response" in o["http"]

assert not "error" in o

0 comments on commit ce39f95

Please sign in to comment.