Eve JSON Output with configuration : packet: yes

Hi All,

I’m currently referring to the following Suricata documentation (15.1.1. Eve JSON Output — Suricata 6.0.0 documentation) that has the following configurations settings in the suricata.yaml file

        - alert:
            # payload: yes             # enable dumping payload in Base64
            # payload-buffer-size: 4kb # max size of payload buffer to output in eve-log
            # payload-printable: yes   # enable dumping payload in printable (lossy) format
            # packet: yes              # enable dumping of packet (without stream segments)

For the settings with packet:yes, may i clarify on the following

  1. What does enable dumping of packet (without stream segments) mean?
  2. I’ve seen that the packet information that is being output to the eve.json file was in Base64 format and is there anything that could be missing from output? I’ve also tried to convert the generated output to back to a pcap file and made a comparison using wireshark and observed that the length are same as per the original test pcap file. Is there anything that needs to take note here?

Thanks in advance for your time and assistance

Hi tanya,

  1. From what I understand, that’s because the packet contents could have come from upstream in different segments, which are then reassembled by Suricata into the proper packets. This log will therefore show the (reassembled) packet, without (possible) stream segments that may have existed. ([i] may help you visualize that better)
  2. From output-json-alert.c and output-json.c, my understanding is that for a packet that the packet will be logged in its full length:
    suricata/output-json-alert.c at master · OISF/suricata · GitHub
    suricata/output-json.c at master · OISF/suricata · GitHub

Sorry for the late answer, and hope this can be of help!

[i] The TCP/IP Guide - TCP Data Handling and Processing: Streams, Segments and Sequence Numbers

Thank you for the clarifications and that was really helpful

1 Like