If you’re willing to test a patch let me know, I think this might be a one line fix.
commit 8cff96b01542a16892f575aa421f3983b2d291ee
Refs: [fixes/tunnel-pkts/v1], suricata-5.0.1-451-g8cff96b01
Author: Victor Julien <victor@inliniac.net>
AuthorDate: Sat May 23 15:12:45 2020 +0200
Commit: Victor Julien <victor@inliniac.net>
CommitDate: Sat May 23 15:12:45 2020 +0200
eve: print interface info for vxlan and other tunnel pkts
---
src/decode.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/decode.c b/src/decode.c
index fdf5cb095..8e68a24d7 100644
--- a/src/decode.c
+++ b/src/decode.c
@@ -295,6 +295,7 @@ Packet *PacketTunnelPktSetup(ThreadVars *tv, DecodeThreadVars *dtv, Packet *pare
p->ts.tv_usec = parent->ts.tv_usec;
p->datalink = DLT_RAW;
p->tenant_id = parent->tenant_id;
+ p->livedev = parent->livedev;
/* set the root ptr to the lowest layer */
if (parent->root != NULL)