Actions
Support #2972
closedHow can I get the mac at the NFQ mode
Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:
Description
When I start suricata as NFQ mode,as suricata -c /etc/suricata/suricata.yaml -q 0 -q 1. I can't get the mac address from the package,because if a package is from NFQ,there is no mac bytes when I use wireshark to get the package.
Updated by Alexander Gozman over 5 years ago
John Smith wrote:
When I start suricata as NFQ mode,as suricata -c /etc/suricata/suricata.yaml -q 0 -q 1. I can't get the mac address from the package,because if a package is from NFQ,there is no mac bytes when I use wireshark to get the package.
At best (AFAIK), NFQ can provide source MAC address but never a destination one (because it's unknown at the moment of capture).
Updated by Andreas Herz over 5 years ago
- Assignee set to Community Ticket
- Target version set to Support
Updated by Victor Julien over 5 years ago
- Status changed from New to Closed
- Assignee deleted (
Community Ticket) - Target version deleted (
Support) - Difficulty deleted (
high)
Actions