elastic · marc-gr · Jul 27, 2020 · Jun 23, 2020 · Jul 17, 2020 · Jul 17, 2020
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -596,6 +596,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
   `host` metadata fields when processing network data from network tap or mirror
   port. {pull}19209[19209]
 - Add ECS fields for x509 certs, event categorization, and related IP info. {pull}19167[19167]
+- Add 100-continue support {issue}15830[15830] {pull}19349[19349]
+
 
 *Functionbeat*
 - Add basic ECS categorization and `cloud` fields. {pull}19174[19174]

diff --git a/packetbeat/protos/http/http.go b/packetbeat/protos/http/http.go
@@ -457,6 +457,12 @@ func (http *httpPlugin) flushResponses(conn *httpConnectionData) {
 		unmatchedResponses.Add(1)
 		resp := conn.responses.pop()
 		debugf("Response from unknown transaction: %s. Reporting error.", resp.tcpTuple)
+
+		if bytes.Equal(resp.statusPhrase, continueStatePhrase) && resp.statusCode == 100 {
+			debugf("Drop first 100-continue response")
+			return
+		}
+
 		event := http.newTransaction(nil, resp)
 		http.publishTransaction(event)
 	}

diff --git a/packetbeat/protos/http/http_parser.go b/packetbeat/protos/http/http_parser.go
@@ -110,9 +110,10 @@ var (
 
 	constCRLF = []byte("\r\n")
 
-	constClose       = []byte("close")
-	constKeepAlive   = []byte("keep-alive")
-	constHTTPVersion = []byte("HTTP/")
+	constClose          = []byte("close")
+	constKeepAlive      = []byte("keep-alive")
+	constHTTPVersion    = []byte("HTTP/")
+	continueStatePhrase = []byte("Continue")
 
 	nameContentLength    = []byte("content-length")
 	nameContentType      = []byte("content-type")

diff --git a/packetbeat/tests/system/pcaps/http_100_continue.pcap b/packetbeat/tests/system/pcaps/http_100_continue.pcap
diff --git a/packetbeat/tests/system/test_0070_http_100_continue.py b/packetbeat/tests/system/test_0070_http_100_continue.py
@@ -0,0 +1,32 @@
+from packetbeat import BaseTest
+
+"""
+Tests for checking expect 100-continue only generate 1 event
+"""
+
+
+class Test(BaseTest):
+
+    def test_http_100_continue(self):
+        """
+        Should only generate one event
+        """
+        self.render_config_template(
+            iface_device="lo0",
+            http_ports=["9200"],
+            http_send_all_headers=True
+        )
+        self.run_packetbeat(pcap="http_100_continue.pcap")
+        objs = self.read_output_json()
+
+        assert len(objs) == 1
+        o = objs[0]
+
+        assert o["type"] == "http"
+        assert "request" in o["http"]
+        assert "headers" in o["http"]["request"]
+        assert o["http"]["request"]["headers"]["expect"] == "100-continue"
+
+        assert "response" in o["http"]
+
+        assert not "error" in o