I presume this is all "tagged" traffic ?<br><br><div class="gmail_quote">On Tue, Nov 8, 2011 at 4:57 AM, Peter Bates <span dir="ltr"><<a href="mailto:peter.bates@ucl.ac.uk">peter.bates@ucl.ac.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;"><div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>

Hash: SHA1<br>
<br>
<br>
Hello all<br>
<br>
</div><div class="im">On 07/11/2011 17:59, Peter Manev wrote:<br>
> Hi, This could very well be the reason. Are there any VLANs<br>
> involved where the interface where Suricata listens to is not part<br>
> of those VLANs/VLAN ?<br>
<br>
</div>Suricata is on a port carrying an RSPAN of traffic from elsewhere in<br>
the network.<br>
<br>
- From stats.log:<br>
<br>
decoder.vlan              | Decode & Stream           | 0<br>
<br>
which I presume means that Suricata itself isn't actually decoding<br>
VLAN packets in the stream.<br>
<div class="im"><br>
- --<br>
Peter Bates<br>
Senior Computer Security Officer    Phone: <a href="tel:%2B44%280%292076792049" value="+442076792049">+44(0)2076792049</a><br>
Information Services Division       Internal Ext: 32049<br>
University College London<br>
London WC1E 6BT<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.17 (MingW32)<br>
Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org/" target="_blank">http://enigmail.mozdev.org/</a><br>
<br>
</div>iQEcBAEBAgAGBQJOuSdQAAoJELhVoVpEMS6R/JkIAJHu9i8vEgLt3GULWCVvyoPb<br>
XBqK5gqvZ/2oiWULxU5oCEk98yrGUSFpwJGXiYxAtSz8G1Im4nXhJnkzrK+eCsrb<br>
OZPFmL1jvpvOm9MtNKRE/j9mS4Lj+/D7pT4nKT4fxo/yx77GlFICw10EynmtFF4g<br>
FwWXZhTOLh/1P+PNbuQiySjTtDMqCHZQk8P+sfLDAB/V5WveUgjxENF3U307MVxg<br>
1dK6X0uGfbXRD/+eaysW9wpnnFfJ87y6Nk5vDsldmt4G1dTfQ4fVIpO+gS/w7mWO<br>
C0GfOG5AScRhDVgYSp9hxOVS5CQ8nB6m4R6SNIHfe1ymuDcYqcp9zzcLcN8w5vQ=<br>
=60Gq<br>
<div><div></div><div class="h5">-----END PGP SIGNATURE-----<br>
<br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Peter Manev<br>