Bug #6954: eve: packet field packet_info.linktype is non-portable - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #6954

open

eve: packet field packet_info.linktype is non-portable

Added by Victor Julien 7 months ago. Updated 2 months ago.

Status:

In Review

Priority:

Normal

Assignee:

Jeff Lucovsky

Target version:

8.0.0-beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

This field holds a numeric representation of the linktype/datalink, but this number can differ between operating systems. Most notably DLT_RAW is has value 12 on linux and 14 on OpenBSD.

It would probably be best to use a string representation. Following capinfos might make sense:

File encapsulation:  Raw IP

Interface #0 info:
                     Encapsulation = Raw IP (7 - rawip)

Could do "Raw IP" or follow the "rawip" notation.

Regardless this should be in a new field.

Actions

Copy link

Updated by Jeff Lucovsky 6 months ago

A simple solution would use the interface pcap_datalink_val_to_name to get the display name for the datalink value.

Actions

Copy link

Updated by Jeff Lucovsky 6 months ago · Edited

Status changed from New to In Review
Assignee changed from OISF Dev to Jeff Lucovsky

https://github.com/OISF/suricata/pull/11279

Actions

Copy link

Updated by Philippe Antoine 2 months ago

Target version changed from TBD to 8.0.0-beta1

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #6954

eve: packet field packet_info.linktype is non-portable

Updated by Jeff Lucovsky 6 months ago

Updated by Jeff Lucovsky 6 months ago · Edited

Updated by Philippe Antoine 2 months ago