Tcpdump on same interface as Suricata shows no IP addresses

heisse · April 7, 2021, 2:40pm

Hi,
I am using Suricata on Ubuntu 20 to monitor an interface. When i run tcpdump on the same interface , tcpdump returns “unknown ip 0”. The same is when i use tshark.
with tshark I get the response:

1 0.000000000 N/A → N/A N/A 74 Raw packet data

When I stop Suricata , and i run both tcpdump and tshark simultaneously there is no issue.

Suricata is configured to AF_Packet Mode.

Is this expected behavior, and if yes why or am I missing something in the configuration?

Any advice is appreciated

Thanks

Andreas_Herz · April 20, 2021, 8:42pm

How do you run tcpdump and suricata exactly?

I do the same (running tcpdump while Suricata running) and can’t confirm that.

Topic		Replies	Views
Suricata cannot parse tls/http traffice Help	6	182	December 13, 2023
Packets dropping or not Help	1	313	September 9, 2021
Application detection and duplicate TCP/SYN Help	6	1009	September 1, 2022
Suricata parse http error, lots of /libhtp::request_uri_not_seen and http request info lose Help suricata	3	365	August 31, 2023
AF_PACKET IPS mode NOT copy tcp ack packet to another I/F Help ips , suricata	2	440	August 7, 2023

Tcpdump on same interface as Suricata shows no IP addresses

Related Topics