Thank you Jeff, I believe it is type II (will confirm of course), it appears that suricata itself decodes it fine (from Cisco Nexus and Catalyst sources), I believe the bpf magic happens before the decoding in suricata. I will check tomorrow though and get back to you with what I see.
Also, I will do some more exploring with this, testing with latest stable version of suricata in our lab (will also be running 5.15 linux kernel); may be able to pull a pcap for @Andreas_Herz this way too, we’ll see what that gets us.
Thank you both for your help on this! 