Actions
Optimization #7849
open
FR
JL
rule 2200121 : SURICATA Ethertype unknown
Optimization #7849:
rule 2200121 : SURICATA Ethertype unknown
Effort:
Difficulty:
Label:
Description
Hi,
My debian version : Debian GNU/Linux 13 (trixie)
Suricata version 8.0.0
About rule 2200121:
Today, this alert brings up this information:
{
"timestamp": "2025-08-12T01:09:59.207354+0200",
"in_iface": "enp4s0",
"event_type": "alert",
"pkt_src": "wire/pcap",
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 2200121,
"rev": 1,
"signature": "SURICATA Ethertype unknown",
"category": "Generic Protocol Command Decode",
"severity": 3
}
}
Is it possible that in the future this alert will also indicate the affected protocol number?
In fact, yesterday I upgraded from Bookworm to Trixie and was able to compile Suricata version 8 (because rustc > 1.75.0).
In Suricata 7.0.11, this alert was never reported. But with version 8.0.0, yesterday over a period of 6h 31m 51s, I got:
38643 x 2200121 - SURICATA Ethertype unknown
Knowing the Ethertype would help clarify the problem:
- Is it a Suricata configuration issue? (The interface is 802.1q, enp4s0 = vlan1 and enp4s0.96 = vlan96, and I specified enp4s0 in the suricata configuration, IPS mode)
- Is it a Trixie issue, and if yes, which one?
- Is it a network attack?
- Other?
At the moment I don't have enough information to go further. Running a network analysis is always long and tedious to analyze.
For the fun, unless I didn't understand everything, for me:
capture.kernel_packets - decoder.ipv4 - decoder.arp - decoder.unknown_ethertype must be equal to zero.
316785 - 274652 - 3491 - 38643 = -1 Why?
Losing a packet isn't a big deal, but it can mask a bigger problem.
Thank you in advance for your feedback.
François.
--------------------------------------------------------------------------------------------------- Counter | TM Name | Value --------------------------------------------------------------------------------------------------- capture.kernel_packets | Total | 316785 capture.afpacket.polls | Total | 532375 capture.afpacket.poll_timeout | Total | 416889 capture.afpacket.poll_data | Total | 115486 decoder.pkts | Total | 316786 decoder.bytes | Total | 172455686 decoder.ipv4 | Total | 274652 decoder.ethernet | Total | 316786 decoder.arp | Total | 3491 decoder.unknown_ethertype | Total | 38643 decoder.tcp | Total | 145539 tcp.syn | Total | 212 tcp.synack | Total | 212 tcp.rst | Total | 19 decoder.udp | Total | 122448 decoder.icmpv4 | Total | 1354 decoder.vlan | Total | 222881 decoder.avg_pkt_size | Total | 544 decoder.max_pkt_size | Total | 1514 tcp.active_sessions | Total | 1 flow.total | Total | 28709 flow.active | Total | 92 flow.tcp | Total | 227 flow.udp | Total | 28302 flow.icmpv4 | Total | 180 flow.wrk.spare_sync_avg | Total | 99 flow.wrk.spare_sync | Total | 287 flow.wrk.spare_sync_incomplete | Total | 121 decoder.event.ipv4.opt_pad_required | Total | 3721 decoder.event.ethernet.unknown_ethertype | Total | 38643 flow.wrk.flows_evicted_needs_work | Total | 198 flow.wrk.flows_evicted_pkt_inject | Total | 336 flow.wrk.flows_evicted | Total | 149 flow.wrk.flows_injected | Total | 198 flow.wrk.flows_injected_max | Total | 1 tcp.sessions | Total | 212 tcp.ssn_from_cache | Total | 183 tcp.ssn_from_pool | Total | 29 tcp.pseudo | Total | 6 tcp.segment_from_cache | Total | 21390 tcp.segment_from_pool | Total | 443 tcp.stream_depth_reached | Total | 26 tcp.overlap | Total | 2 detect.alert | Total | 39163 detect.alerts_suppressed | Total | 832 app_layer.flow.failed_tcp | Total | 6 app_layer.flow.http | Total | 3 app_layer.tx.http | Total | 3 app_layer.flow.ftp | Total | 31 app_layer.tx.ftp | Total | 352 app_layer.flow.tls | Total | 10 app_layer.flow.ssh | Total | 6 app_layer.flow.ntp | Total | 294 app_layer.tx.ntp | Total | 756 app_layer.flow.ftp-data | Total | 31 app_layer.flow.tftp | Total | 13 app_layer.tx.tftp | Total | 13 app_layer.flow.dhcp | Total | 99 app_layer.tx.dhcp | Total | 311 app_layer.flow.mdns | Total | 20 app_layer.tx.mdns | Total | 53032 app_layer.flow.failed_udp | Total | 8165 app_layer.flow.dns_udp | Total | 18947 app_layer.tx.dns_udp | Total | 38841 app_layer.flow.sip_udp | Total | 764 app_layer.tx.sip_udp | Total | 72 app_layer.error.sip_udp.parser | Total | 6802 flow.end.state.new | Total | 9159 flow.end.state.established | Total | 19247 flow.end.state.closed | Total | 211 flow.end.tcp_state.closed | Total | 211 flow.mgr.full_hash_pass | Total | 2337 flow.mgr.rows_per_sec | Total | 6553 flow.spare | Total | 10925 flow.mgr.rows_maxlen | Total | 2 flow.mgr.flows_checked | Total | 68744 flow.mgr.flows_notimeout | Total | 40255 flow.mgr.flows_timeout | Total | 28489 flow.mgr.flows_evicted | Total | 28490 flow.mgr.flows_evicted_needs_work | Total | 198 memcap.pressure | Total | 5 memcap.pressure_max | Total | 5 defrag.memuse | Total | 33554432 flow.recycler.recycled | Total | 28292 flow.recycler.queue_max | Total | 24 tcp.memuse | Total | 1245184 tcp.reassembly_memuse | Total | 276480 http.memuse | Total | 336 http.byterange.memuse | Total | 168384 http.byterange.memcap | Total | 104857600 ippair.memuse | Total | 398144 ippair.memcap | Total | 398144 host.memuse | Total | 382144 host.memcap | Total | 33554432 flow.memuse | Total | 7479904
FR Updated by François RAPIN 10 months ago
Hi,
Sorry for that, I made a mistake in the second part of my message. I had mixed apples with oranges. The correct formula is:
decoder.pkts - decoder.ipv4 - decoder.arp - decoder.unknown_ethertype must be equal to zero.
316786 - 274652 - 3491 - 38643 = 0
But my initial request to display the protocol number remains valid.
Have a nice day.
François
PA Updated by Philippe Antoine 9 months ago
Jlucovsky you made it possible, but suricata.yaml needs one option, right ? in eve-log
Like @ethernet: yes # log ethernet header in events when available
FR Updated by François RAPIN 9 months ago
Hi,
This is a good idea to check over a few days. I'll check the size of the log files with these additional 22 bytes, but I think the impact will be minimal.
Thanks again for this idea.
Regards.
François
FR Updated by François RAPIN 8 months ago · Edited
Hi,
Sorry for that, but I have a doubt:
I modified my configuration file /etc/suricata/suricata.yaml with:
ethernet: yes
But I don't see any trace of the headers in the eve.json output.
Maybe I don't know how to search. In fact, I'm surprised that I can't find the "Ethertype" number or information like the source and destination MAC addresses. Did I do something wrong?
I'm on trixie and I just upgraded to suricata 8.0.1
Thanks in advance for your help.
One example:cat /var/log/suricata/eve.json.1 | jq 'select(.ether == null)' | more
{
"timestamp": "2025-10-02T00:00:26.778820+0200",
"flow_id": 2003682908544790,
"event_type": "flow",
"src_ip": "192.168.96.81",
"src_port": 53735,
"dest_ip": "192.168.96.100",
"dest_port": 3551,
"ip_v": 4,
"proto": "TCP",
"flow": {
"pkts_toserver": 7,
"pkts_toclient": 6,
"bytes_toserver": 300,
"bytes_toclient": 996,
"start": "2025-10-01T23:59:19.269910+0200",
"end": "2025-10-01T23:59:19.595818+0200",
"age": 0,
"state": "closed",
"reason": "timeout",
"alerted": false,
"wrong_thread": true
},
"tcp": {
"tcp_flags": "1b",
"tcp_flags_ts": "1b",
"tcp_flags_tc": "1b",
"syn": true,
"fin": true,
"psh": true,
"ack": true,
"state": "closed",
"ts_max_regions": 1,
"tc_max_regions": 1
}
}
{
"timestamp": "2025-10-02T00:00:27.711646+0200",
"flow_id": 2029438225135704,
"event_type": "flow",
"src_ip": "192.168.96.81",
"src_port": 55570,
"dest_ip": "192.168.96.100",
"dest_port": 53,
"ip_v": 4,
"proto": "UDP",
"app_proto": "dns",
"flow": {
"pkts_toserver": 1,
"pkts_toclient": 1,
"bytes_toserver": 66,
"bytes_toclient": 138,
"start": "2025-10-01T23:55:19.013763+0200",
"end": "2025-10-01T23:55:19.015021+0200",
"age": 0,
"state": "established",
"reason": "timeout",
"alerted": false,
"tx_cnt": 2
}
}
{
"timestamp": "2025-10-02T00:00:31.646771+0200",
"event_type": "stats",
"stats": {
"uptime": 84862,
"ips": {
"accepted": 537199,
"blocked": 4256,
"rejected": 0,
"replaced": 0,
"drop_reason": {
"decode_error": 0,
"defrag_error": 0,
"defrag_memcap": 0,
"flow_memcap": 0,
"flow_drop": 2882,
"applayer_error": 0,
"applayer_memcap": 0,
"rules": 1219,
"threshold_detection_filter": 0,
"stream_error": 155,
"stream_memcap": 0,
"stream_midstream": 0,
"stream_reassembly": 0,
"stream_urgent": 0,
"nfq_error": 0,
"tunnel_packet_drop": 0,
"default_packet_policy": 0,
"default_app_policy": 0,
"pre_stream_hook": 0,
"pre_flow_hook": 0
}
},
"decoder": {
"pkts": 541455,
"bytes": 254584145,
"invalid": 0,
"ipv4": 541455,
"ipv6": 0,
"ethernet": 0,
"arp": 0,
"unknown_ethertype": 0,
"chdlc": 0,
"raw": 0,
"null": 0,
"sll": 0,
"sll2": 0,
"tcp": 239090,
"udp": 295271,
"sctp": 0,
"esp": 0,
"icmpv4": 7094,
"icmpv6": 0,
"ppp": 0,
"pppoe": 0,
"geneve": 0,
"gre": 0,
"vlan": 0,
"vlan_qinq": 0,
"vlan_qinqinq": 0,
"vxlan": 0,
"vntag": 0,
"ieee8021ah": 0,
"teredo": 0,
"ipv4_in_ipv4": 0,
My configuration file:
grep -v '^\s*$\|^\s*\#' /etc/suricata/suricata.yaml
%YAML 1.1
---
suricata-version: "7.0"
vars:
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DC_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
MODBUS_PORTS: 502
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
FTP_PORTS: 21
GENEVE_PORTS: 6081
VXLAN_PORTS: 4789
TEREDO_PORTS: 3544
default-log-dir: /var/log/suricata/
stats:
enabled: yes
interval: 8
plugins:
outputs:
- fast:
enabled: yes
filename: fast.log
append: yes
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
ethernet: yes # log ethernet header in events when available
pcap-file: false
community-id: false
community-id-seed: 0
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For
types:
- alert:
tagged-packets: yes
- frame:
enabled: no
- anomaly:
enabled: yes
types:
- http:
extended: yes # enable this for extended logging information
- dns:
- tls:
extended: yes # enable this for extended logging information
- files:
force-magic: no # force logging magic on all logged files
- drop:
alerts: yes
flows: all
verdict: yes
- smtp:
- ftp
- rdp
- nfs
- smb
- tftp
- ike
- dcerpc
- krb5
- bittorrent-dht
- snmp
- rfb
- sip
- quic:
- dhcp:
enabled: yes
extended: no
- ssh
- mqtt:
- http2
- pgsql:
enabled: no
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
- flow
- http-log:
enabled: no
filename: http.log
append: yes
- tls-log:
enabled: no # Log TLS connections.
filename: tls.log # File to store TLS logs.
append: yes
- tls-store:
enabled: no
- pcap-log:
enabled: no
filename: log.pcap
limit: 1000mb
max-files: 2000
compression: none
mode: normal # normal, multi or sguil.
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.
- alert-debug:
enabled: no
filename: alert-debug.log
append: yes
- stats:
enabled: yes
filename: stats.log
append: yes # append to file (yes) or overwrite it (no)
totals: yes # stats for all threads merged together
threads: no # per thread stats
- syslog:
enabled: no
facility: local5
- file-store:
version: 2
enabled: no
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For
- tcp-data:
enabled: no
type: file
filename: tcp-data.log
- http-body-data:
enabled: no
type: file
filename: http-data.log
- lua:
enabled: no
scripts:
logging:
default-log-level: notice
default-output-filter:
outputs:
- console:
enabled: yes
- file:
enabled: yes
level: info
filename: suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
af-packet:
- interface: enp4s0
threads: auto
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
ring-size: 32000
- interface: default
af-xdp:
- interface: default
dpdk:
eal-params:
proc-type: primary
interfaces:
- interface: 0000:3b:00.0 # PCIe address of the NIC port
threads: auto
promisc: true # promiscuous mode - capture all packets
multicast: true # enables also detection on multicast packets
checksum-checks: true # if Suricata should validate checksums
checksum-checks-offload: true # if possible offload checksum validation to the NIC (saves Suricata resources)
mtu: 1500 # Set MTU of the device in bytes
mempool-size: 65535 # The number of elements in the mbuf pool
mempool-cache-size: 257
rx-descriptors: 1024
tx-descriptors: 1024
copy-mode: none
copy-iface: none # or PCIe address of the second interface
- interface: default
threads: auto
promisc: true
multicast: true
checksum-checks: true
checksum-checks-offload: true
mtu: 1500
rss-hash-functions: auto
mempool-size: 65535
mempool-cache-size: 257
rx-descriptors: 1024
tx-descriptors: 1024
copy-mode: none
copy-iface: none
pcap:
- interface: enp4s0
- interface: default
pcap-file:
checksum-checks: auto
app-layer:
protocols:
telnet:
enabled: yes
rfb:
enabled: yes
detection-ports:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
mqtt:
enabled: yes
krb5:
enabled: yes
bittorrent-dht:
enabled: yes
snmp:
enabled: yes
ike:
enabled: yes
tls:
enabled: yes
detection-ports:
dp: 443
pgsql:
enabled: no
stream-depth: 0
dcerpc:
enabled: yes
ftp:
enabled: yes
rdp:
ssh:
enabled: yes
http2:
enabled: yes
smtp:
enabled: yes
raw-extraction: no
mime:
decode-mime: yes
decode-base64: yes
decode-quoted-printable: yes
header-value-depth: 2000
extract-urls: yes
body-md5: no
inspected-tracker:
content-limit: 100000
content-inspect-min-size: 32768
content-inspect-window: 4096
imap:
enabled: detection-only
smb:
enabled: yes
detection-ports:
dp: 139, 445
nfs:
enabled: yes
tftp:
enabled: yes
dns:
tcp:
enabled: yes
detection-ports:
dp: 53
udp:
enabled: yes
detection-ports:
dp: 53
http:
enabled: yes
libhtp:
default-config:
personality: IDS
request-body-limit: 100kb
response-body-limit: 100kb
request-body-minimal-inspect-size: 32kb
request-body-inspect-window: 4kb
response-body-minimal-inspect-size: 40kb
response-body-inspect-window: 16kb
response-body-decompress-layer-limit: 2
http-body-inline: auto
swf-decompression:
enabled: no
type: both
compress-depth: 100kb
decompress-depth: 100kb
double-decode-path: no
double-decode-query: no
server-config:
modbus:
enabled: no
detection-ports:
dp: 502
stream-depth: 0
dnp3:
enabled: no
detection-ports:
dp: 20000
enip:
enabled: no
detection-ports:
dp: 44818
sp: 44818
ntp:
enabled: yes
quic:
enabled: yes
dhcp:
enabled: yes
sip:
asn1-max-frames: 256
datasets:
defaults:
limits:
rules:
security:
limit-noproc: true
landlock:
enabled: no
directories:
read:
- /usr/
- /etc/
- /etc/suricata/
lua:
coredump:
max-dump: unlimited
host-mode: auto
runmode: workers
unix-command:
enabled: yes
legacy:
uricontent: enabled
exception-policy: auto
engine-analysis:
rules-fast-pattern: yes
rules: yes
pcre:
match-limit: 3500
match-limit-recursion: 1500
host-os-policy:
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: []
old-solaris: []
solaris: []
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
defrag:
memcap: 32mb
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60
flow:
memcap: 128mb
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
vlan:
use-for-tracking: true
livedev:
use-for-tracking: true
flow-timeouts:
default:
new: 30
established: 300
closed: 0
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-closed: 0
emergency-bypassed: 50
tcp:
new: 60
established: 600
closed: 60
bypassed: 100
emergency-new: 5
emergency-established: 100
emergency-closed: 10
emergency-bypassed: 50
udp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
icmp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
stream:
memcap: 64mb
checksum-validation: yes # reject incorrect csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
memcap: 256mb
depth: 1mb # reassemble 1mb into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
host:
hash-size: 4096
prealloc: 1000
memcap: 32mb
decoder:
teredo:
enabled: true
ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'.
vxlan:
enabled: true
ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'.
geneve:
enabled: true
ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'.
detect:
profile: medium
custom-values:
toclient-groups: 3
toserver-groups: 25
sgh-mpm-context: auto
prefilter:
default: mpm
grouping:
profiling:
grouping:
dump-to-disk: false
include-rules: false # very verbose
include-mpm-stats: false
mpm-algo: ac
spm-algo: bm
threading:
set-cpu-affinity: no
cpu-affinity:
- management-cpu-set:
cpu: [ 0 ] # include only these CPUs in affinity settings
- receive-cpu-set:
cpu: [ 0 ] # include only these CPUs in affinity settings
- worker-cpu-set:
cpu: [ "all" ]
mode: "exclusive"
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
detect-thread-ratio: 1.0
luajit:
states: 128
profiling:
rules:
enabled: yes
filename: rule_perf.log
append: yes
limit: 10
json: yes
keywords:
enabled: yes
filename: keyword_perf.log
append: yes
prefilter:
enabled: yes
filename: prefilter_perf.log
append: yes
rulegroups:
enabled: yes
filename: rule_group_perf.log
append: yes
packets:
enabled: yes
filename: packet_stats.log
append: yes
csv:
enabled: no
filename: packet_stats.csv
locks:
enabled: no
filename: lock_stats.log
append: yes
pcap-log:
enabled: no
filename: pcaplog_stats.log
append: yes
nfq:
mode: accept
batchcount: 20
fail-open: yes
nflog:
- group: 2
buffer-size: 18432
- group: default
qthreshold: 1
qtimeout: 100
max-size: 20000
capture:
netmap:
- interface: eth2
- interface: default
pfring:
- interface: enp4s0
threads: auto
cluster-id: 99
cluster-type: cluster_flow
- interface: default
ipfw:
napatech:
streams: ["0-3"]
enable-stream-stats: no
auto-config: yes
hardware-bypass: yes
inline: no
ports: [0-1,2-3]
hashmode: hash5tuplesorted
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
JF Updated by Juliana Fajardini Reichow 16 days ago
- Status changed from New to Triaged
- Assignee changed from OISF Dev to Jeff Lucovsky
- Target version changed from TBD to 9.0.0-beta1
JL Updated by Jeff Lucovsky 15 days ago
Is it possible that in the future this alert will also indicate the affected protocol number?
Are you asking for the unknown ethertype value to be displayed?
JL Updated by Jeff Lucovsky 9 days ago
- Status changed from Triaged to In Progress
JL Updated by Jeff Lucovsky 8 days ago
- Status changed from In Progress to In Review
Actions