Bug #1711
closedeve: Ethernet Header Missing From Packet Field
Description
Hello,
I am seeing an issue where the Ethernet headers are not present in the JSON packet field. I am seeing this issue across two different platforms using two different traffic acquisition methods.
FreeBSD:
10.2-RELEASE-p12
NIC: Intel(R) PRO/1000 Network Connection 7.4.2
Suricata 3.0_1 from ports
Suricata is bound to the external VLAN interface:
/usr/local/bin/suricata -D -i vlan30 --pidfile /var/run/suricata.pid -c /usr/local/etc/suricata/suricata.yaml
Ubuntu:
12.04
Suricata 3.0
af-packet
Suricata is acquiring data via an in-line TAP.
Sample:
00000000 45 00 00 28 00 00 00 00 40 06 c7 ae ae 6d a5 ce |E..(....@....m..|
00000010 c6 33 98 b2 f6 22 00 50 ca 47 11 f0 4e 1b dc e6 |.3...".P.G..N...|
00000020 50 10 0a 00 f5 05 00 00 |P.......|
00000028
{"timestamp":"2016-02-05T20:50:44.006188-0500","flow_id":2264548352,"event_type":"alert","src_ip":"174.109.165.206","src_port":63010,"dest_ip":"198.51.152.178","dest_port":80,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":2260001,"rev":1,"signature":"SURICATA Applayer Wrong direction first Data","category":"Generic Protocol Command Decode","severity":3},"stream":0,"packet":"RQAAKAAAAABABseurm2lzsYzmLL2IgBQykcR8E4b3OZQEAoA9QUAAA=="}
This issue does not seem to be associated with any particular protocol as I have observed the same behavior with SMTP, HTTP, LDAP, HTTPS, etc.