ERSpan Type 1 in Suricata 6.0.9

ted_sf · March 7, 2023, 5:22pm

I know that ERSpan Type 1 is enabled by default in Suricata 6.0.9.

Does the decoder statement still need to be in suricata.yaml?

This command returns an empty line currently:
grep decoder.erspan stats.log

I guess because the line does not appear in the file at this time.

If it should I’ll add it.

If it is no longer necessary, is there a way to get erspan stats?

Andreas_Herz · March 8, 2023, 10:41am

You would see a warning if you put it in the config. How does your config look like and how do you run it? Could be related to the capture so might be worth to debug with more details about the setup.

Topic		Replies	Views
Using suricata as IDS for traffic from various networks via ERSPAN Help	5	1298	November 15, 2021
Suricata and Fortinet ERSpan Version 1 Help suricata	3	73	August 13, 2024
After installation, Suricata writes only statistics to eve Help	5	538	December 2, 2021
ERSPAN type II decpasulation/processing Help ips	6	2683	May 20, 2020
Suricata the output of eve.log does not include data on http connections Help	11	2286	November 27, 2021

ERSpan Type 1 in Suricata 6.0.9

Related topics