Optimization #7849
openrule 2200121 : SURICATA Ethertype unknown
Description
Hi,
My debian version : Debian GNU/Linux 13 (trixie)
Suricata version 8.0.0
About rule 2200121:
Today, this alert brings up this information:
{
"timestamp": "2025-08-12T01:09:59.207354+0200",
"in_iface": "enp4s0",
"event_type": "alert",
"pkt_src": "wire/pcap",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2200121,
"rev": 1,
"signature": "SURICATA Ethertype unknown",
"category": "Generic Protocol Command Decode",
"severity": 3
}
}
Is it possible that in the future this alert will also indicate the affected protocol number?
In fact, yesterday I upgraded from Bookworm to Trixie and was able to compile Suricata version 8 (because rustc > 1.75.0).
In Suricata 7.0.11, this alert was never reported. But with version 8.0.0, yesterday over a period of 6h 31m 51s, I got:
38643 x 2200121 - SURICATA Ethertype unknown
Knowing the Ethertype would help clarify the problem:
- Is it a Suricata configuration issue? (The interface is 802.1q, enp4s0 = vlan1 and enp4s0.96 = vlan96, and I specified enp4s0 in the suricata configuration, IPS mode)
- Is it a Trixie issue, and if yes, which one?
- Is it a network attack?
- Other?
At the moment I don't have enough information to go further. Running a network analysis is always long and tedious to analyze.
For the fun, unless I didn't understand everything, for me:
capture.kernel_packets - decoder.ipv4 - decoder.arp - decoder.unknown_ethertype must be equal to zero.
316785 - 274652 - 3491 - 38643 = -1 Why?
Losing a packet isn't a big deal, but it can mask a bigger problem.
Thank you in advance for your feedback.
François.
--------------------------------------------------------------------------------------------------- Counter | TM Name | Value --------------------------------------------------------------------------------------------------- capture.kernel_packets | Total | 316785 capture.afpacket.polls | Total | 532375 capture.afpacket.poll_timeout | Total | 416889 capture.afpacket.poll_data | Total | 115486 decoder.pkts | Total | 316786 decoder.bytes | Total | 172455686 decoder.ipv4 | Total | 274652 decoder.ethernet | Total | 316786 decoder.arp | Total | 3491 decoder.unknown_ethertype | Total | 38643 decoder.tcp | Total | 145539 tcp.syn | Total | 212 tcp.synack | Total | 212 tcp.rst | Total | 19 decoder.udp | Total | 122448 decoder.icmpv4 | Total | 1354 decoder.vlan | Total | 222881 decoder.avg_pkt_size | Total | 544 decoder.max_pkt_size | Total | 1514 tcp.active_sessions | Total | 1 flow.total | Total | 28709 flow.active | Total | 92 flow.tcp | Total | 227 flow.udp | Total | 28302 flow.icmpv4 | Total | 180 flow.wrk.spare_sync_avg | Total | 99 flow.wrk.spare_sync | Total | 287 flow.wrk.spare_sync_incomplete | Total | 121 decoder.event.ipv4.opt_pad_required | Total | 3721 decoder.event.ethernet.unknown_ethertype | Total | 38643 flow.wrk.flows_evicted_needs_work | Total | 198 flow.wrk.flows_evicted_pkt_inject | Total | 336 flow.wrk.flows_evicted | Total | 149 flow.wrk.flows_injected | Total | 198 flow.wrk.flows_injected_max | Total | 1 tcp.sessions | Total | 212 tcp.ssn_from_cache | Total | 183 tcp.ssn_from_pool | Total | 29 tcp.pseudo | Total | 6 tcp.segment_from_cache | Total | 21390 tcp.segment_from_pool | Total | 443 tcp.stream_depth_reached | Total | 26 tcp.overlap | Total | 2 detect.alert | Total | 39163 detect.alerts_suppressed | Total | 832 app_layer.flow.failed_tcp | Total | 6 app_layer.flow.http | Total | 3 app_layer.tx.http | Total | 3 app_layer.flow.ftp | Total | 31 app_layer.tx.ftp | Total | 352 app_layer.flow.tls | Total | 10 app_layer.flow.ssh | Total | 6 app_layer.flow.ntp | Total | 294 app_layer.tx.ntp | Total | 756 app_layer.flow.ftp-data | Total | 31 app_layer.flow.tftp | Total | 13 app_layer.tx.tftp | Total | 13 app_layer.flow.dhcp | Total | 99 app_layer.tx.dhcp | Total | 311 app_layer.flow.mdns | Total | 20 app_layer.tx.mdns | Total | 53032 app_layer.flow.failed_udp | Total | 8165 app_layer.flow.dns_udp | Total | 18947 app_layer.tx.dns_udp | Total | 38841 app_layer.flow.sip_udp | Total | 764 app_layer.tx.sip_udp | Total | 72 app_layer.error.sip_udp.parser | Total | 6802 flow.end.state.new | Total | 9159 flow.end.state.established | Total | 19247 flow.end.state.closed | Total | 211 flow.end.tcp_state.closed | Total | 211 flow.mgr.full_hash_pass | Total | 2337 flow.mgr.rows_per_sec | Total | 6553 flow.spare | Total | 10925 flow.mgr.rows_maxlen | Total | 2 flow.mgr.flows_checked | Total | 68744 flow.mgr.flows_notimeout | Total | 40255 flow.mgr.flows_timeout | Total | 28489 flow.mgr.flows_evicted | Total | 28490 flow.mgr.flows_evicted_needs_work | Total | 198 memcap.pressure | Total | 5 memcap.pressure_max | Total | 5 defrag.memuse | Total | 33554432 flow.recycler.recycled | Total | 28292 flow.recycler.queue_max | Total | 24 tcp.memuse | Total | 1245184 tcp.reassembly_memuse | Total | 276480 http.memuse | Total | 336 http.byterange.memuse | Total | 168384 http.byterange.memcap | Total | 104857600 ippair.memuse | Total | 398144 ippair.memcap | Total | 398144 host.memuse | Total | 382144 host.memcap | Total | 33554432 flow.memuse | Total | 7479904
Updated by François RAPIN 2 months ago
Hi,
Sorry for that, I made a mistake in the second part of my message. I had mixed apples with oranges. The correct formula is:
decoder.pkts - decoder.ipv4 - decoder.arp - decoder.unknown_ethertype must be equal to zero.
316786 - 274652 - 3491 - 38643 = 0
But my initial request to display the protocol number remains valid.
Have a nice day.
François
Updated by Philippe Antoine about 1 month ago
Jlucovsky you made it possible, but suricata.yaml needs one option, right ? in eve-log
Like @ethernet: yes # log ethernet header in events when available
Updated by François RAPIN about 1 month ago
Hi,
This is a good idea to check over a few days. I'll check the size of the log files with these additional 22 bytes, but I think the impact will be minimal.
Thanks again for this idea.
Regards.
François
Updated by François RAPIN 24 days ago
Hi,
Sorry for that, but I have a doubt:
I modified my configuration file /etc/suricata/suricata.yaml with:
ethernet: yes
But I don't see any trace of the headers in the eve.json output.
Maybe I don't know how to search. In fact, I'm surprised that I can't find the "Ethertype" number or information like the source and destination MAC addresses. Did I do something wrong?
I'm on trixie and I just upgraded to suricata 8.0.1
Thanks in advance for your help.
One example:cat /var/log/suricata/eve.json.1 | jq 'select(.ether == null)' | more
{
"timestamp": "2025-10-02T00:00:26.778820+0200",
"flow_id": 2003682908544790,
"event_type": "flow",
"src_ip": "192.168.96.81",
"src_port": 53735,
"dest_ip": "192.168.96.100",
"dest_port": 3551,
"ip_v": 4,
"proto": "TCP",
"flow": {
"pkts_toserver": 7,
"pkts_toclient": 6,
"bytes_toserver": 300,
"bytes_toclient": 996,
"start": "2025-10-01T23:59:19.269910+0200",
"end": "2025-10-01T23:59:19.595818+0200",
"age": 0,
"state": "closed",
"reason": "timeout",
"alerted": false,
"wrong_thread": true
},
"tcp": {
"tcp_flags": "1b",
"tcp_flags_ts": "1b",
"tcp_flags_tc": "1b",
"syn": true,
"fin": true,
"psh": true,
"ack": true,
"state": "closed",
"ts_max_regions": 1,
"tc_max_regions": 1
}
}
{
"timestamp": "2025-10-02T00:00:27.711646+0200",
"flow_id": 2029438225135704,
"event_type": "flow",
"src_ip": "192.168.96.81",
"src_port": 55570,
"dest_ip": "192.168.96.100",
"dest_port": 53,
"ip_v": 4,
"proto": "UDP",
"app_proto": "dns",
"flow": {
"pkts_toserver": 1,
"pkts_toclient": 1,
"bytes_toserver": 66,
"bytes_toclient": 138,
"start": "2025-10-01T23:55:19.013763+0200",
"end": "2025-10-01T23:55:19.015021+0200",
"age": 0,
"state": "established",
"reason": "timeout",
"alerted": false,
"tx_cnt": 2
}
}
{
"timestamp": "2025-10-02T00:00:31.646771+0200",
"event_type": "stats",
"stats": {
"uptime": 84862,
"ips": {
"accepted": 537199,
"blocked": 4256,
"rejected": 0,
"replaced": 0,
"drop_reason": {
"decode_error": 0,
"defrag_error": 0,
"defrag_memcap": 0,
"flow_memcap": 0,
"flow_drop": 2882,
"applayer_error": 0,
"applayer_memcap": 0,
"rules": 1219,
"threshold_detection_filter": 0,
"stream_error": 155,
"stream_memcap": 0,
"stream_midstream": 0,
"stream_reassembly": 0,
"stream_urgent": 0,
"nfq_error": 0,
"tunnel_packet_drop": 0,
"default_packet_policy": 0,
"default_app_policy": 0,
"pre_stream_hook": 0,
"pre_flow_hook": 0
}
},
"decoder": {
"pkts": 541455,
"bytes": 254584145,
"invalid": 0,
"ipv4": 541455,
"ipv6": 0,
"ethernet": 0,
"arp": 0,
"unknown_ethertype": 0,
"chdlc": 0,
"raw": 0,
"null": 0,
"sll": 0,
"sll2": 0,
"tcp": 239090,
"udp": 295271,
"sctp": 0,
"esp": 0,
"icmpv4": 7094,
"icmpv6": 0,
"ppp": 0,
"pppoe": 0,
"geneve": 0,
"gre": 0,
"vlan": 0,
"vlan_qinq": 0,
"vlan_qinqinq": 0,
"vxlan": 0,
"vntag": 0,
"ieee8021ah": 0,
"teredo": 0,
"ipv4_in_ipv4": 0,
My configuration file:grep -v '^\s*$\|^\s*\#' /etc/suricata/suricata.yaml
%YAML 1.1
---
suricata-version: "7.0"
vars:
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DC_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
MODBUS_PORTS: 502
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
FTP_PORTS: 21
GENEVE_PORTS: 6081
VXLAN_PORTS: 4789
TEREDO_PORTS: 3544
default-log-dir: /var/log/suricata/
stats:
enabled: yes
interval: 8
plugins:
outputs:
- fast:
enabled: yes
filename: fast.log
append: yes
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
ethernet: yes # log ethernet header in events when available
pcap-file: false
community-id: false
community-id-seed: 0
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For
types:
- alert:
tagged-packets: yes
- frame:
enabled: no
- anomaly:
enabled: yes
types:
- http:
extended: yes # enable this for extended logging information
- dns:
- tls:
extended: yes # enable this for extended logging information
- files:
force-magic: no # force logging magic on all logged files
- drop:
alerts: yes
flows: all
verdict: yes
- smtp:
- ftp
- rdp
- nfs
- smb
- tftp
- ike
- dcerpc
- krb5
- bittorrent-dht
- snmp
- rfb
- sip
- quic:
- dhcp:
enabled: yes
extended: no
- ssh
- mqtt:
- http2
- pgsql:
enabled: no
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
- flow
- http-log:
enabled: no
filename: http.log
append: yes
- tls-log:
enabled: no # Log TLS connections.
filename: tls.log # File to store TLS logs.
append: yes
- tls-store:
enabled: no
- pcap-log:
enabled: no
filename: log.pcap
limit: 1000mb
max-files: 2000
compression: none
mode: normal # normal, multi or sguil.
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.
- alert-debug:
enabled: no
filename: alert-debug.log
append: yes
- stats:
enabled: yes
filename: stats.log
append: yes # append to file (yes) or overwrite it (no)
totals: yes # stats for all threads merged together
threads: no # per thread stats
- syslog:
enabled: no
facility: local5
- file-store:
version: 2
enabled: no
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For
- tcp-data:
enabled: no
type: file
filename: tcp-data.log
- http-body-data:
enabled: no
type: file
filename: http-data.log
- lua:
enabled: no
scripts:
logging:
default-log-level: notice
default-output-filter:
outputs:
- console:
enabled: yes
- file:
enabled: yes
level: info
filename: suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
af-packet:
- interface: enp4s0
threads: auto
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
ring-size: 32000
- interface: default
af-xdp:
- interface: default
dpdk:
eal-params:
proc-type: primary
interfaces:
- interface: 0000:3b:00.0 # PCIe address of the NIC port
threads: auto
promisc: true # promiscuous mode - capture all packets
multicast: true # enables also detection on multicast packets
checksum-checks: true # if Suricata should validate checksums
checksum-checks-offload: true # if possible offload checksum validation to the NIC (saves Suricata resources)
mtu: 1500 # Set MTU of the device in bytes
mempool-size: 65535 # The number of elements in the mbuf pool
mempool-cache-size: 257
rx-descriptors: 1024
tx-descriptors: 1024
copy-mode: none
copy-iface: none # or PCIe address of the second interface
- interface: default
threads: auto
promisc: true
multicast: true
checksum-checks: true
checksum-checks-offload: true
mtu: 1500
rss-hash-functions: auto
mempool-size: 65535
mempool-cache-size: 257
rx-descriptors: 1024
tx-descriptors: 1024
copy-mode: none
copy-iface: none
pcap:
- interface: enp4s0
- interface: default
pcap-file:
checksum-checks: auto
app-layer:
protocols:
telnet:
enabled: yes
rfb:
enabled: yes
detection-ports:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
mqtt:
enabled: yes
krb5:
enabled: yes
bittorrent-dht:
enabled: yes
snmp:
enabled: yes
ike:
enabled: yes
tls:
enabled: yes
detection-ports:
dp: 443
pgsql:
enabled: no
stream-depth: 0
dcerpc:
enabled: yes
ftp:
enabled: yes
rdp:
ssh:
enabled: yes
http2:
enabled: yes
smtp:
enabled: yes
raw-extraction: no
mime:
decode-mime: yes
decode-base64: yes
decode-quoted-printable: yes
header-value-depth: 2000
extract-urls: yes
body-md5: no
inspected-tracker:
content-limit: 100000
content-inspect-min-size: 32768
content-inspect-window: 4096
imap:
enabled: detection-only
smb:
enabled: yes
detection-ports:
dp: 139, 445
nfs:
enabled: yes
tftp:
enabled: yes
dns:
tcp:
enabled: yes
detection-ports:
dp: 53
udp:
enabled: yes
detection-ports:
dp: 53
http:
enabled: yes
libhtp:
default-config:
personality: IDS
request-body-limit: 100kb
response-body-limit: 100kb
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 40kb
response-body-inspect-window: 16kb
response-body-decompress-layer-limit: 2
http-body-inline: auto
swf-decompression:
enabled: no
type: both
compress-depth: 100kb
decompress-depth: 100kb
double-decode-path: no
double-decode-query: no
server-config:
modbus:
enabled: no
detection-ports:
dp: 502
stream-depth: 0
dnp3:
enabled: no
detection-ports:
dp: 20000
enip:
enabled: no
detection-ports:
dp: 44818
sp: 44818
ntp:
enabled: yes
quic:
enabled: yes
dhcp:
enabled: yes
sip:
asn1-max-frames: 256
datasets:
defaults:
limits:
rules:
security:
limit-noproc: true
landlock:
enabled: no
directories:
read:
- /usr/
- /etc/
- /etc/suricata/
lua:
coredump:
max-dump: unlimited
host-mode: auto
runmode: workers
unix-command:
enabled: yes
legacy:
uricontent: enabled
exception-policy: auto
engine-analysis:
rules-fast-pattern: yes
rules: yes
pcre:
match-limit: 3500
match-limit-recursion: 1500
host-os-policy:
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: []
old-solaris: []
solaris: []
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
defrag:
memcap: 32mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60
flow:
memcap: 128mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
vlan:
use-for-tracking: true
livedev:
use-for-tracking: true
flow-timeouts:
default:
new: 30
established: 300
closed: 0
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-closed: 0
emergency-bypassed: 50
tcp:
new: 60
established: 600
closed: 60
bypassed: 100
emergency-new: 5
emergency-established: 100
emergency-closed: 10
emergency-bypassed: 50
udp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
icmp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
stream:
memcap: 64mb
checksum-validation: yes # reject incorrect csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
memcap: 256mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
host:
hash-size: 4096
prealloc: 1000
memcap: 32mb
decoder:
teredo:
enabled: true
ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'.
vxlan:
enabled: true
ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'.
geneve:
enabled: true
ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'.
detect:
profile: medium
custom-values:
toclient-groups: 3
toserver-groups: 25
sgh-mpm-context: auto
prefilter:
default: mpm
grouping:
profiling:
grouping:
dump-to-disk: false
include-rules: false # very verbose
include-mpm-stats: false
mpm-algo: ac
spm-algo: bm
threading:
set-cpu-affinity: no
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ] # include only these CPUs in affinity settings
- receive-cpu-set:
cpu: [ 0 ] # include only these CPUs in affinity settings
- worker-cpu-set:
cpu: [ "all" ]
mode: "exclusive"
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
detect-thread-ratio: 1.0
luajit:
states: 128
profiling:
rules:
enabled: yes
filename: rule_perf.log
append: yes
limit: 10
json: yes
keywords:
enabled: yes
filename: keyword_perf.log
append: yes
prefilter:
enabled: yes
filename: prefilter_perf.log
append: yes
rulegroups:
enabled: yes
filename: rule_group_perf.log
append: yes
packets:
enabled: yes
filename: packet_stats.log
append: yes
csv:
enabled: no
filename: packet_stats.csv
locks:
enabled: no
filename: lock_stats.log
append: yes
pcap-log:
enabled: no
filename: pcaplog_stats.log
append: yes
nfq:
mode: accept
batchcount: 20
fail-open: yes
nflog:
- group: 2
buffer-size: 18432
- group: default
qthreshold: 1
qtimeout: 100
max-size: 20000
capture:
netmap:
- interface: eth2
- interface: default
pfring:
- interface: enp4s0
threads: auto
cluster-id: 99
cluster-type: cluster_flow
- interface: default
ipfw:
napatech:
streams: ["0-3"]
enable-stream-stats: no
auto-config: yes
hardware-bypass: yes
inline: no
ports: [0-1,2-3]
hashmode: hash5tuplesorted
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config