Project

General

Profile

Actions
Copy link

Bug #8247

open

Suricata 8.x does not show GRE tunnel source/destination in flow/alert logs

Added by Aneesh Patel 3 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
TBD
Affected Versions:
8.0.3
Effort:
Difficulty:
Label:
Needs backport to 8.0

Description

If you play this pcap that utilizes GRE encapsulated traffic (attached), you can see we get the following log:

``` {
"timestamp": "2023-10-03T13:44:01.870735+0000",
"flow_id": 362080176641266,
"event_type": "flow",
"src_ip": "10.0.0.1",
"dest_ip": "10.0.0.2",
"ip_v": 4,
"proto": "ICMP",
"icmp_type": 8,
"icmp_code": 0,
"response_icmp_type": 0,
"response_icmp_code": 0,
"flow": {
"pkts_toserver": 5,
"pkts_toclient": 5,
"bytes_toserver": 420,
"bytes_toclient": 420,
"start": "2023-10-03T13:44:01.870735+0000",
"end": "2023-10-03T13:44:05.878563+0000",
"age": 4,
"state": "established",
"reason": "shutdown",
"alerted": false
}
}

```
We can see that the inner packet details are shown, but there is no details about the outer layer.

It seems that this was supposed to be fixed per this redmine long ago - https://redmine.openinfosecfoundation.org/issues/2011, but the test we just did on a suricata 8.0.3 fresh build shows that it is still not showing the outer layer.

Files

gre-eth0.pcap (1.37 KB) gre-eth0.pcap Aneesh Patel, 01/23/2026 06:40 PM

No data to display

Actions
Copy link

Also available in: Atom PDF