ERSpan Type 1 in Suricata 6.0.9

ted_sf · March 7, 2023, 5:22pm

I know that ERSpan Type 1 is enabled by default in Suricata 6.0.9.

Does the decoder statement still need to be in suricata.yaml?

This command returns an empty line currently:
grep decoder.erspan stats.log

I guess because the line does not appear in the file at this time.

If it should I’ll add it.

If it is no longer necessary, is there a way to get erspan stats?

Andreas_Herz · March 8, 2023, 10:41am

You would see a warning if you put it in the config. How does your config look like and how do you run it? Could be related to the capture so might be worth to debug with more details about the setup.

Topic		Replies	Views
Using suricata as IDS for traffic from various networks via ERSPAN Help	5	1142	November 15, 2021
Use suricata to replay pcap file without any output Help	4	544	August 4, 2021
ERSPAN type II decpasulation/processing Help ips	6	2395	May 20, 2020
ERROR: Pcap file does not exist Help	13	1936	October 15, 2021
Generic Protocol Command Decode Help	13	12549	March 13, 2021

ERSpan Type 1 in Suricata 6.0.9

Related Topics