Project

General

Profile

Actions

Bug #2934

open

VLAN tags stripped when saving pcap log

Added by Martins Zabarovskis over 5 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

As this is my first report, sorry if the report is not perfect.

Playing with SELKS I find out that the PCAPs saved from Suricata and picked up by Moloch is missing the VLAN information. I checked Moloch PCAPs from /data/moloch/raw, Suricata PCAPs from /data/nsm and traffic record from my mirror interface using tcpdump. Tcpdump PCAP has VLAN information, Moloch and Suricata PCAPs don`t.

With the same config file, if I feed the PCAP file to Suricata ( suricata -k none -r vlan_test.pcap --runmode single ), the VLAN information is preserved in PCAP file saved by Suricata.

Attached is my Suricata build info. Hope it helps.

regards,
Martins


Files

Suricata-BuildInfo.txt (3.87 KB) Suricata-BuildInfo.txt Suricata Build Info Martins Zabarovskis, 04/16/2019 05:30 PM

Related issues 2 (1 open1 closed)

Related to Suricata - Bug #1780: VLAN tags not forwarded in afpacket inline modeClosedEric Leblond05/06/2016Actions
Related to Suricata - Bug #2478: PCAP logging does not include 802.1q header when using af-packetFeedbackOISF DevActions
Actions #1

Updated by Peter Manev over 5 years ago

It seems if a pcap is read - it preserves the vlan info. If AFPv3 is used then when Suricata is writing the pcap ( https://github.com/OISF/suricata/blob/master/suricata.yaml.in#L363 ) it does not preserve it.

Actions #2

Updated by Victor Julien over 5 years ago

  • Related to Bug #1780: VLAN tags not forwarded in afpacket inline mode added
Actions #3

Updated by Victor Julien over 5 years ago

This issue is likely the same as #1780. The vlan header is not part of the raw packet and is thus not written into the pcap. In the IPS mode the solution was to re-add it to the forwarded packet manually. I think we will need the same here.

Actions #4

Updated by Andreas Herz over 5 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #5

Updated by Andreas Herz over 5 years ago

  • Related to Bug #2478: PCAP logging does not include 802.1q header when using af-packet added
Actions

Also available in: Atom PDF