Project

General

Profile

Actions

Support #2972

closed

How can I get the mac at the NFQ mode

Added by John Smith almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Affected Versions:
Label:

Description

When I start suricata as NFQ mode,as suricata -c /etc/suricata/suricata.yaml -q 0 -q 1. I can't get the mac address from the package,because if a package is from NFQ,there is no mac bytes when I use wireshark to get the package.

Actions #1

Updated by Alexander Gozman almost 5 years ago

John Smith wrote:

When I start suricata as NFQ mode,as suricata -c /etc/suricata/suricata.yaml -q 0 -q 1. I can't get the mac address from the package,because if a package is from NFQ,there is no mac bytes when I use wireshark to get the package.

At best (AFAIK), NFQ can provide source MAC address but never a destination one (because it's unknown at the moment of capture).

Actions #2

Updated by Victor Julien almost 5 years ago

  • Target version deleted (4.1.4)
Actions #3

Updated by Victor Julien almost 5 years ago

  • Assignee deleted (Victor Julien)
Actions #4

Updated by Andreas Herz almost 5 years ago

  • Assignee set to Community Ticket
  • Target version set to Support
Actions #5

Updated by Victor Julien almost 5 years ago

  • Status changed from New to Closed
  • Assignee deleted (Community Ticket)
  • Target version deleted (Support)
  • Difficulty deleted (high)
Actions

Also available in: Atom PDF