Optimization #7849
openrule 2200121 : SURICATA Ethertype unknown
Description
Hi,
My debian version : Debian GNU/Linux 13 (trixie)
Suricata version 8.0.0
About rule 2200121:
Today, this alert brings up this information:
{
"timestamp": "2025-08-12T01:09:59.207354+0200",
"in_iface": "enp4s0",
"event_type": "alert",
"pkt_src": "wire/pcap",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2200121,
"rev": 1,
"signature": "SURICATA Ethertype unknown",
"category": "Generic Protocol Command Decode",
"severity": 3
}
}
Is it possible that in the future this alert will also indicate the affected protocol number?
In fact, yesterday I upgraded from Bookworm to Trixie and was able to compile Suricata version 8 (because rustc > 1.75.0).
In Suricata 7.0.11, this alert was never reported. But with version 8.0.0, yesterday over a period of 6h 31m 51s, I got:
38643 x 2200121 - SURICATA Ethertype unknown
Knowing the Ethertype would help clarify the problem:
- Is it a Suricata configuration issue? (The interface is 802.1q, enp4s0 = vlan1 and enp4s0.96 = vlan96, and I specified enp4s0 in the suricata configuration, IPS mode)
- Is it a Trixie issue, and if yes, which one?
- Is it a network attack?
- Other?
At the moment I don't have enough information to go further. Running a network analysis is always long and tedious to analyze.
For the fun, unless I didn't understand everything, for me:
capture.kernel_packets - decoder.ipv4 - decoder.arp - decoder.unknown_ethertype must be equal to zero.
316785 - 274652 - 3491 - 38643 = -1 Why?
Losing a packet isn't a big deal, but it can mask a bigger problem.
Thank you in advance for your feedback.
François.
--------------------------------------------------------------------------------------------------- Counter | TM Name | Value --------------------------------------------------------------------------------------------------- capture.kernel_packets | Total | 316785 capture.afpacket.polls | Total | 532375 capture.afpacket.poll_timeout | Total | 416889 capture.afpacket.poll_data | Total | 115486 decoder.pkts | Total | 316786 decoder.bytes | Total | 172455686 decoder.ipv4 | Total | 274652 decoder.ethernet | Total | 316786 decoder.arp | Total | 3491 decoder.unknown_ethertype | Total | 38643 decoder.tcp | Total | 145539 tcp.syn | Total | 212 tcp.synack | Total | 212 tcp.rst | Total | 19 decoder.udp | Total | 122448 decoder.icmpv4 | Total | 1354 decoder.vlan | Total | 222881 decoder.avg_pkt_size | Total | 544 decoder.max_pkt_size | Total | 1514 tcp.active_sessions | Total | 1 flow.total | Total | 28709 flow.active | Total | 92 flow.tcp | Total | 227 flow.udp | Total | 28302 flow.icmpv4 | Total | 180 flow.wrk.spare_sync_avg | Total | 99 flow.wrk.spare_sync | Total | 287 flow.wrk.spare_sync_incomplete | Total | 121 decoder.event.ipv4.opt_pad_required | Total | 3721 decoder.event.ethernet.unknown_ethertype | Total | 38643 flow.wrk.flows_evicted_needs_work | Total | 198 flow.wrk.flows_evicted_pkt_inject | Total | 336 flow.wrk.flows_evicted | Total | 149 flow.wrk.flows_injected | Total | 198 flow.wrk.flows_injected_max | Total | 1 tcp.sessions | Total | 212 tcp.ssn_from_cache | Total | 183 tcp.ssn_from_pool | Total | 29 tcp.pseudo | Total | 6 tcp.segment_from_cache | Total | 21390 tcp.segment_from_pool | Total | 443 tcp.stream_depth_reached | Total | 26 tcp.overlap | Total | 2 detect.alert | Total | 39163 detect.alerts_suppressed | Total | 832 app_layer.flow.failed_tcp | Total | 6 app_layer.flow.http | Total | 3 app_layer.tx.http | Total | 3 app_layer.flow.ftp | Total | 31 app_layer.tx.ftp | Total | 352 app_layer.flow.tls | Total | 10 app_layer.flow.ssh | Total | 6 app_layer.flow.ntp | Total | 294 app_layer.tx.ntp | Total | 756 app_layer.flow.ftp-data | Total | 31 app_layer.flow.tftp | Total | 13 app_layer.tx.tftp | Total | 13 app_layer.flow.dhcp | Total | 99 app_layer.tx.dhcp | Total | 311 app_layer.flow.mdns | Total | 20 app_layer.tx.mdns | Total | 53032 app_layer.flow.failed_udp | Total | 8165 app_layer.flow.dns_udp | Total | 18947 app_layer.tx.dns_udp | Total | 38841 app_layer.flow.sip_udp | Total | 764 app_layer.tx.sip_udp | Total | 72 app_layer.error.sip_udp.parser | Total | 6802 flow.end.state.new | Total | 9159 flow.end.state.established | Total | 19247 flow.end.state.closed | Total | 211 flow.end.tcp_state.closed | Total | 211 flow.mgr.full_hash_pass | Total | 2337 flow.mgr.rows_per_sec | Total | 6553 flow.spare | Total | 10925 flow.mgr.rows_maxlen | Total | 2 flow.mgr.flows_checked | Total | 68744 flow.mgr.flows_notimeout | Total | 40255 flow.mgr.flows_timeout | Total | 28489 flow.mgr.flows_evicted | Total | 28490 flow.mgr.flows_evicted_needs_work | Total | 198 memcap.pressure | Total | 5 memcap.pressure_max | Total | 5 defrag.memuse | Total | 33554432 flow.recycler.recycled | Total | 28292 flow.recycler.queue_max | Total | 24 tcp.memuse | Total | 1245184 tcp.reassembly_memuse | Total | 276480 http.memuse | Total | 336 http.byterange.memuse | Total | 168384 http.byterange.memcap | Total | 104857600 ippair.memuse | Total | 398144 ippair.memcap | Total | 398144 host.memuse | Total | 382144 host.memcap | Total | 33554432 flow.memuse | Total | 7479904
No data to display