Bug #307
closedIPv6 output confusing
Description
When capturing IPv6 traffic the addresses are displayed like: 2001:bad:c0ff:33::1234:80 (fast.log, suricata.log, http.log)
This is a bit confusing since it could mean 2001:0bad:c0ff:0033:0000:0000:1234:0080 or 2001:0bad:c0ff:0033:0000:0000:0000:1234 port 80.
I think it would be better to output IPv6 address like: [2001:bad:c0ff:33::1234]:80.
Files
Updated by Victor Julien over 12 years ago
- Status changed from New to Assigned
- Assignee set to Peter Manev
- Priority changed from Low to Normal
- Target version set to 1.1beta3
- Estimated time set to 2.00 h
Peter can you figure out how Snort does it in it's fast log output? And barnyard2. If possible I'd like to stay compatible to those.
Updated by Sander Klein over 12 years ago
Snort does it like:
2001:0bad:c0ff:0033:0000:0000:0000:1234:80
Updated by Victor Julien over 12 years ago
- Assignee changed from Peter Manev to Eric Leblond
I guess that removes the ambiguity as well. Although I like the shorter notation much better, for compatibility we should probably use this as well.
Eric can you update the outputs accordingly?
Updated by Eric Leblond over 12 years ago
- File 0001-Introduce-PrintInet-function.patch 0001-Introduce-PrintInet-function.patch added
- File 0002-Transform-inet_ntop-call-into-PrintInet-one.patch 0002-Transform-inet_ntop-call-into-PrintInet-one.patch added
- % Done changed from 0 to 90
I attach to this comment two patches that fix this.
Updated by Victor Julien over 12 years ago
- Status changed from Assigned to Closed
- % Done changed from 90 to 100
Applied, thanks Eric.