VLAN tags stripped when saving pcap log
As this is my first report, sorry if the report is not perfect.
Playing with SELKS I find out that the PCAPs saved from Suricata and picked up by Moloch is missing the VLAN information. I checked Moloch PCAPs from /data/moloch/raw, Suricata PCAPs from /data/nsm and traffic record from my mirror interface using tcpdump. Tcpdump PCAP has VLAN information, Moloch and Suricata PCAPs don`t.
With the same config file, if I feed the PCAP file to Suricata (
suricata -k none -r vlan_test.pcap --runmode single ), the VLAN information is preserved in PCAP file saved by Suricata.
Attached is my Suricata build info. Hope it helps.