Project

General

Profile

Actions

Bug #2934

open

VLAN tags stripped when saving pcap log

Added by Martins Zabarovskis over 5 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

As this is my first report, sorry if the report is not perfect.

Playing with SELKS I find out that the PCAPs saved from Suricata and picked up by Moloch is missing the VLAN information. I checked Moloch PCAPs from /data/moloch/raw, Suricata PCAPs from /data/nsm and traffic record from my mirror interface using tcpdump. Tcpdump PCAP has VLAN information, Moloch and Suricata PCAPs don`t.

With the same config file, if I feed the PCAP file to Suricata ( suricata -k none -r vlan_test.pcap --runmode single ), the VLAN information is preserved in PCAP file saved by Suricata.

Attached is my Suricata build info. Hope it helps.

regards,
Martins


Files

Suricata-BuildInfo.txt (3.87 KB) Suricata-BuildInfo.txt Suricata Build Info Martins Zabarovskis, 04/16/2019 05:30 PM

Related issues 2 (1 open1 closed)

Related to Suricata - Bug #1780: VLAN tags not forwarded in afpacket inline modeClosedEric Leblond05/06/2016Actions
Related to Suricata - Bug #2478: PCAP logging does not include 802.1q header when using af-packetFeedbackOISF DevActions
Actions

Also available in: Atom PDF