VLAN has a next protocol field, that can is 16 bits, so it can potentially hold 64k unique values. When Suricata encounters a value there that it doesn’t support, it will set this event.
In the code:
Here is the vlan decoder
And here is the parser that parses the next layer
If the switch statement reaches the default case, it returns false and the vent will be set in the vlan decoder.
To clarify, the fact that Suricata doesn’t know the protocol, doesn’t mean it is bad or weird or malicious. It might simply be a protocol that Suricata doesn’t have support for. We’re always interested in pcaps for such protocols.
Thank you very much for the details and please forgive me for the delay!
I’m pretty novice in terms of traffic analysis, please could you give me some more details in order to be able to understand what is generating this unrecognized traffic?
How can I filter the traffic to extract pcaps that may be useful to you?