Missing VLAN Information in eve.json Logs with Suricata 7.0.1 Running in DPDK Mode

Hello Suricata Community,

I am currently using Suricata version 7.0.1 and running it in DPDK mode. I have encountered an issue where all the logs in eve.json are missing VLAN id information. I have tried configuring the vlan: use-for-tracking setting in suricata.yaml both to true and false, but neither configuration seems to resolve the issue.

Additionally, it’s important to note that the traffic I am capturing includes both single-layer and double-layer VLAN tagged traffic. Despite this, no VLAN tags are being logged in eve.json.

Could someone please help me understand why the VLAN tags are not being captured in the logs? Is there a specific configuration I am missing, or is this a known issue with running Suricata in DPDK mode?

Any insights or suggestions would be greatly appreciated.

Thank you in advance for your assistance.

Hi,

does eve.json contain VLAN tags if you run Suricata in a different capture mode - other than DPDK? DPDK does not do any packet modification - neither in HW/SW level so DPDK should not be the issue here. I believe it will be more related to some Suricata configuration issues.
Can you first test it with some other capture mode to be sure?
Thanks.

Lukas

I tested both pf_ring and af-packet modes, and the vlan information is still not output in eve.json. What should my troubleshooting approach be?

I have rechecked the original traffic and found that the VLAN tags were stripped from it. It appears to be an issue with the traffic itself.