Support #2972
closed
How can I get the mac at the NFQ mode
Added by John Smith over 5 years ago.
Updated over 5 years ago.
Description
When I start suricata as NFQ mode,as suricata -c /etc/suricata/suricata.yaml -q 0 -q 1. I can't get the mac address from the package,because if a package is from NFQ,there is no mac bytes when I use wireshark to get the package.
John Smith wrote:
When I start suricata as NFQ mode,as suricata -c /etc/suricata/suricata.yaml -q 0 -q 1. I can't get the mac address from the package,because if a package is from NFQ,there is no mac bytes when I use wireshark to get the package.
At best (AFAIK), NFQ can provide source MAC address but never a destination one (because it's unknown at the moment of capture).
- Target version deleted (
4.1.4)
- Assignee deleted (
Victor Julien)
- Assignee set to Community Ticket
- Target version set to Support
- Status changed from New to Closed
- Assignee deleted (
Community Ticket)
- Target version deleted (
Support)
- Difficulty deleted (
high)
Also available in: Atom
PDF