BPF not reflected in suricata.log when using pf-ring
Latest git 2.1dev (rev 1010406) - when using a bpf filter from a file with af-packet - this is reflected in the suricata.log.
.... (runmode-af-packet.c:148) <Info> (ParseAFPConfig) -- Going to use command-line provided bpf filter '( (ip and port 20 or 21.......... ....
The same is not true when using BPF with pf-ring.
Updated by Jay MJ over 4 years ago
Andreas Herz wrote:
Is this still an issue?
I checked, it does not appear to be a problem with with printable payload and base64 encoded payload fields in eve logs. Also, suricata generated pcaps appear to be fine.
Using this script to convert the packet field, and it's just garbage (perhaps another issue?). - https://gist.github.com/jermdw/a39d86c36cedbfa9b9a16faed59434e5
I also did try scapy, which doesn't seem think the base64 packet is valid at all.
I think it makes sense to close this and, after I update to latest version of suricata, test more. If still present, open issue for packet field malformed. That does not appear to be related to this erspan issue as it is malformed without that header also.
To conclude, version 4.1.2 does not appear to have the issues with payload and payload printed fields anymore.