PCAP Based on Destination IP and HTTP Error Response


#1

I would like to start a PCAP based on a destination server IP address AND a specific HTTP status code. In this case a 404 error. My attempt to code this is below but is not working. Any assistance would be appreciated.

/--------------Configuration--------------------/
var dest_server = { ipaddr: '10.225.104.122' }; // change this to match the destination server you want to capture.
var web_error = { statusCode: '404' }; //change this to match the web status code you are looking for
var pcapName = 'OnDemand_' + Flow.client.ipaddr + ' TO -> ' + Flow.server.ipaddr;
/-------------End configuration values--------------/
// Don't modify below.
if (Flow.server.ipaddr == dest_server.ipaddr && statusCode == web_error) { //Test passed, start packet capture
    var opts = { maxPackets: 2000 };
    Flow.captureStart(pcapName, opts);
    debug('Start PCAP: ' + pcapName)
} else {
    return;
} /--------------End of trigger------------------/

#2

This is a subtle one.

You use statusCode, I think you want HTTP.statusCode.

Also, were it me, I’d simplify the trigger and go with something like this:

if ( Flow.server.ipaddr == "10.225.104.122" && HTTP.statusCode == 404 ) {

A bit easier to read and consumes less CPU cycles.


#3

Works perfect! Thank you.


#4

Happy to help!