Missing VLAN Information in eve.json Logs with Suricata 7.0.1 Running in DPDK Mode

scc000 · November 13, 2023, 11:53am

Hello Suricata Community,

I am currently using Suricata version 7.0.1 and running it in DPDK mode. I have encountered an issue where all the logs in eve.json are missing VLAN id information. I have tried configuring the vlan: use-for-tracking setting in suricata.yaml both to true and false, but neither configuration seems to resolve the issue.

Additionally, it’s important to note that the traffic I am capturing includes both single-layer and double-layer VLAN tagged traffic. Despite this, no VLAN tags are being logged in eve.json.

Could someone please help me understand why the VLAN tags are not being captured in the logs? Is there a specific configuration I am missing, or is this a known issue with running Suricata in DPDK mode?

Any insights or suggestions would be greatly appreciated.

Thank you in advance for your assistance.

lukashino · November 13, 2023, 2:40pm

Hi,

does eve.json contain VLAN tags if you run Suricata in a different capture mode - other than DPDK? DPDK does not do any packet modification - neither in HW/SW level so DPDK should not be the issue here. I believe it will be more related to some Suricata configuration issues.
Can you first test it with some other capture mode to be sure?
Thanks.

Lukas

scc000 · November 14, 2023, 4:36am

I tested both pf_ring and af-packet modes, and the vlan information is still not output in eve.json. What should my troubleshooting approach be?

scc000 · November 15, 2023, 10:20am

I have rechecked the original traffic and found that the VLAN tags were stripped from it. It appears to be an issue with the traffic itself.