How to fix SURICATA Ethertype unknown

mrn · August 14, 2025, 11:57am

Hello, guys, from month ago I installed suricata for my network, and got this alert:
08/14/2025-14:55:44.377170 [] [1:2200121:1] SURICATA Ethertype unknown [] [Classification: Generic Protocol Command Decode] [Priority: 3] [**] [Raw pkt: 01 80 C2 00 00 0E D8 EC E5 C1 CC 6E 88 CC 02 07 04 D8 EC E5 C1 CC 58 04 03 07 32 32 06 02 00 78 ]

And sometime get this alert:
08/14/2025-14:52:25.018098 [] [1:2027397:1] ET INFO Spotify P2P Client [] [Classification: Not Suspicious Traffic] [Priority: 3] {UDP} 10.2.10.134:57621 → 10.2.11.255:57621

How to get correct info for first one.
Thank you for your time

Jeff_Lucovsky · August 17, 2025, 12:59pm

“Ethertype unknown” means that Suricata doesn’t recognize the layer 2 protocol. Suricata knows about most layer 2 protocols – see the full list in the source code file decode.h and/or `decode-ethernet.h

According to chatgpt — I cannot vouch for its response, but it looks reasonable.
It’s an LLDP advertisement from a device with chassis MAC D8:EC:E5:C1:CC:58, sent out of a locally labeled port “22”, with a 120-second TTL, using the standard LLDP multicast destination. (Typically there’s an End-of-LLDPDU TLV 00 00, which just isn’t shown here.)