Bug #1471
closedNo VLANID in AF-PACKET mode
Description
I run the suricata in AF-PACKET mode, I didn't get VLANID in the program. But i run tcpdump on this interface is see the VLAN-IDs that the packets are tagged with. Why?
Updated by Peter Manev almost 9 years ago
You mean no VLANIDs in the logs (eve.json for example) ?
Which Suricata ver are you using?
Updated by Jackie Cao almost 9 years ago
Peter Manev wrote:
You mean no VLANIDs in the logs (eve.json for example) ?
Which Suricata ver are you using?
AF-PACKET mode:
I set the DecodeVLAN breakpoint When I GDB suricata. Then I use tcpreplay to send the packages, the program does not enter the breakpoint.
PCAP mode:
I set the DecodeVLAN breakpoint When I GDB suricata. Then I use tcpreplay to send the packages, the program enter the breakpoint.
Suricata ver is 2.0.7.
Updated by Peter Manev almost 9 years ago
Do you have vlan IDs in your logs (Suricata logs)?
Updated by Victor Julien over 8 years ago
Jackie Cao wrote:
AF-PACKET mode:
I set the DecodeVLAN breakpoint When I GDB suricata. Then I use tcpreplay to send the packages, the program does not enter the breakpoint.
In AF_PACKET mode the vlan id is retrieved from AF_PACKET directly, so there is no call to DecodeVLAN.
PCAP mode:
I set the DecodeVLAN breakpoint When I GDB suricata. Then I use tcpreplay to send the packages, the program enter the breakpoint.Suricata ver is 2.0.7.
Updated by Victor Julien almost 8 years ago
- Status changed from New to Assigned
- Assignee set to Eric Leblond
- Priority changed from Normal to High
- Target version set to 70
Apparently not all AF_PACKET read functions read the VLAN ID: #1780 https://redmine.openinfosecfoundation.org/issues/1780#note-7
Updated by Victor Julien over 6 years ago
- Status changed from Assigned to Closed
- Assignee deleted (
Eric Leblond) - Priority changed from High to Normal
- Target version deleted (
70)
This should be fixed for all modes.