Bug #2934: VLAN tags stripped when saving pcap log - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #2934

open

VLAN tags stripped when saving pcap log

Added by Martins Zabarovskis over 5 years ago. Updated over 5 years ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

TBD

Affected Versions:

5.0beta1

Effort:

Difficulty:

Label:

Description

Hi,

As this is my first report, sorry if the report is not perfect.

Playing with SELKS I find out that the PCAPs saved from Suricata and picked up by Moloch is missing the VLAN information. I checked Moloch PCAPs from /data/moloch/raw, Suricata PCAPs from /data/nsm and traffic record from my mirror interface using tcpdump. Tcpdump PCAP has VLAN information, Moloch and Suricata PCAPs don`t.

With the same config file, if I feed the PCAP file to Suricata ( suricata -k none -r vlan_test.pcap --runmode single ), the VLAN information is preserved in PCAP file saved by Suricata.

Attached is my Suricata build info. Hope it helps.

regards,
Martins

Files

Suricata-BuildInfo.txt (3.87 KB) Suricata-BuildInfo.txt

Suricata Build Info

Martins Zabarovskis, 04/16/2019 05:30 PM

Related issues 2 (1 open — 1 closed)

Actions

Copy link

Also available in: Atom PDF

	Related to Suricata - Bug #1780: VLAN tags not forwarded in afpacket inline mode	Closed	Eric Leblond	05/06/2016			Actions
	Related to Suricata - Bug #2478: PCAP logging does not include 802.1q header when using af-packet	Feedback	OISF Dev				Actions

Project

General

Profile

Suricata

Custom queries

Bug #2934

VLAN tags stripped when saving pcap log

Updated by Peter Manev over 5 years ago

Updated by Victor Julien over 5 years ago

Updated by Victor Julien over 5 years ago

Updated by Andreas Herz over 5 years ago

Updated by Andreas Herz over 5 years ago