Bug #2934
openVLAN tags stripped when saving pcap log
Description
Hi,
As this is my first report, sorry if the report is not perfect.
Playing with SELKS I find out that the PCAPs saved from Suricata and picked up by Moloch is missing the VLAN information. I checked Moloch PCAPs from /data/moloch/raw, Suricata PCAPs from /data/nsm and traffic record from my mirror interface using tcpdump. Tcpdump PCAP has VLAN information, Moloch and Suricata PCAPs don`t.
With the same config file, if I feed the PCAP file to Suricata ( suricata -k none -r vlan_test.pcap --runmode single ), the VLAN information is preserved in PCAP file saved by Suricata.
Attached is my Suricata build info. Hope it helps.
regards,
Martins
Files
Updated by Peter Manev over 5 years ago
It seems if a pcap is read - it preserves the vlan info. If AFPv3 is used then when Suricata is writing the pcap ( https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L363 ) it does not preserve it.
Updated by Victor Julien over 5 years ago
- Related to Bug #1780: VLAN tags not forwarded in afpacket inline mode added
Updated by Victor Julien over 5 years ago
This issue is likely the same as #1780. The vlan header is not part of the raw packet and is thus not written into the pcap. In the IPS mode the solution was to re-add it to the forwarded packet manually. I think we will need the same here.
Updated by Andreas Herz over 5 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Andreas Herz over 5 years ago
- Related to Bug #2478: PCAP logging does not include 802.1q header when using af-packet added