Wireshark doesn’t restore packets. The packets are missing, it can’t “invent” them back. But what it does well is show as much of the HTTP session as possible. In Suricata we’re working on improving this as well.
AF_PACKET would have reported drops if it saw any, so I now really believe the packet loss happens before Suricata.
Yes, if it can show more http sessions, it should be the best way.I also very much expect it to come as soon as possible.
alert event also be affected by this issue?
This may be related to AWS 'traffic mirroring, but I don’t know how to solve it.AWS’s traffic mirroring function is just a function for users, and it uses VXLAN to send data to Suricata.
@vjulien hi, again.
I found that the packet was lost. Seems to be related to VXLAN 9015 MTU overload.
VXLAN will add 50 bytes to the original packet. We find 50 bytes missing in capture file in packet.
*For example, if an 8996 byte packet is mirrored, and the traffic mirror target MTU value is 9001 bytes, the mirror encapsulation results in the mirrored packet being greater than the MTU value. In this case, the mirror packet is truncated. To prevent mirror packets from being truncated, set the traffic mirror source interface MTU value to 54 bytes less than the traffic mirror target MTU value. For more information about configuring the network MTU value, see Network Maximum Transmission Unit (MTU) for Your EC2 Instance in the Amazon EC2 User Guide for Linux Instances.