<div dir="ltr"><div><div><div><div><div>Seems not:<br>grep vlan stats.log | tail -10<br>decoder.vlan | AFPacketeth11 | 0<br>decoder.vlan_qinq | AFPacketeth11 | 0<br>decoder.vlan | AFPacketeth01 | 0<br>decoder.vlan_qinq | AFPacketeth01 | 0<br>decoder.vlan | AFPacketeth11 | 0<br>decoder.vlan_qinq | AFPacketeth11 | 0<br>decoder.vlan | AFPacketeth01 | 0<br>decoder.vlan_qinq | AFPacketeth01 | 0<br>decoder.vlan | AFPacketeth11 | 0<br>decoder.vlan_qinq | AFPacketeth11 | 0<br><br></div>and:<br>suricata --dump-counters | grep vlan<br>suricata: unrecognized option '--dump-counters'<br><br></div>in tcpdump I do see:<br> 802.1q Virtual LAN, PRI:0, CFI: 0, ID: 503<br> 802.1q Virtual LAN, PRI:0, CFI: 0, ID: 241<br></div><br></div>I do see:<br>ethtool -k eth1<br>Features for eth1:<br>rx-checksumming: off<br>tx-checksumming: off<br> tx-checksum-ipv4: off<br> tx-checksum-unneeded: off [fixed]<br> tx-checksum-ip-generic: off [fixed]<br> tx-checksum-ipv6: off<br> tx-checksum-fcoe-crc: off [fixed]<br> tx-checksum-sctp: off [fixed]<br>scatter-gather: off<br> tx-scatter-gather: off<br> tx-scatter-gather-fraglist: off [fixed]<br>tcp-segmentation-offload: off<br> tx-tcp-segmentation: off<br> tx-tcp-ecn-segmentation: off<br> tx-tcp6-segmentation: off<br>udp-fragmentation-offload: off [fixed]<br>generic-segmentation-offload: off<br>generic-receive-offload: off<br>large-receive-offload: off [fixed]<br>rx-vlan-offload: off<br>tx-vlan-offload: off<br>ntuple-filters: off [fixed]<br>receive-hashing: off [fixed]<br>highdma: on<br>rx-vlan-filter: off [fixed]<br>vlan-challenged: off [fixed]<br>tx-lockless: off [fixed]<br>netns-local: off [fixed]<br>tx-gso-robust: off [fixed]<br>tx-fcoe-segmentation: off [fixed]<br>fcoe-mtu: off [fixed]<br>tx-nocache-copy: on<br>loopback: off [fixed]<br><br></div>In suricata.yaml:<br>vlan:<br> use-for-tracking: true<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-02-27 10:46 GMT+01:00 Peter Manev <span dir="ltr"><<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Fri, Feb 27, 2015 at 9:11 AM, john nesh <<a href="mailto:john.nesh76@gmail.com">john.nesh76@gmail.com</a>> wrote:<br>
> Nope, I think that this is the issue.<br>
> What could I share in order to get troubleshooting faster?<br>
<br>
</span>Can you try to see(just to confirm) if there are any vlan counters in<br>
the stats.log (something like..)<br>
grep vlan stats.log | tail -10<br>
<br>
Then could you do<br>
suricata --dump-counters |grep vlan<br>
<br>
<br>
Thanks<br>
<div class="HOEnZb"><div class="h5"><br>
><br>
> 2015-02-26 23:37 GMT+01:00 Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>>:<br>
>><br>
>> On Thu, Feb 26, 2015 at 10:51 PM, john nesh <<a href="mailto:john.nesh76@gmail.com">john.nesh76@gmail.com</a>> wrote:<br>
>> > Seems not working also in this way.<br>
>> > Is there anything else I could check?<br>
>><br>
>> Do you have vlan IDs in eve.json ?<br>
>><br>
>> ><br>
>> > 2015-02-26 21:53 GMT+01:00 Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>>:<br>
>> >><br>
>> >> On Thu, Feb 26, 2015 at 9:43 PM, john nesh <<a href="mailto:john.nesh76@gmail.com">john.nesh76@gmail.com</a>><br>
>> >> wrote:<br>
>> >> > You are right,<br>
>> >> ><br>
>> >> > rx-vlan-offload: on<br>
>> >> > tx-vlan-offload: on<br>
>> >> ><br>
>> >> > Do I have to disable it?<br>
>> >><br>
>> >> Just run that -<br>
>> >> /opt/selks/Scripts/Setup/reconfigure-listening-interface_stamus.sh<br>
>> >><br>
>> >><br>
>> >><br>
>> >> ><br>
>> >> > 2015-02-26 21:04 GMT+01:00 Peter Manev <<a href="mailto:petermanev@gmail.com">petermanev@gmail.com</a>>:<br>
>> >> >><br>
>> >> >> On Thu, Feb 26, 2015 at 8:18 PM, john nesh <<a href="mailto:john.nesh76@gmail.com">john.nesh76@gmail.com</a>><br>
>> >> >> wrote:<br>
>> >> >> > Hi,<br>
>> >> >> ><br>
>> >> >> > I am facing a different behaviour regarding vlans in logs.<br>
>> >> >> > I made an installation of securityonion and vlan worked log in<br>
>> >> >> > eve.json<br>
>> >> >> > worked flawlessy but not in selks.<br>
>> >> >> > I have read that vlan behaviour had changed in 2.1<br>
>> >> >> ><br>
>> >> >> > in my suricata.yaml I have:<br>
>> >> >> ><br>
>> >> >> > vlan:<br>
>> >> >> > use-for-tracking: true<br>
>> >> >> ><br>
>> >> >> > But I have no log in eve.json.<br>
>> >> >> > Is this an expected behaviour?<br>
>> >> >><br>
>> >> >> You might have vlan offloading enabled on your NIC - if that is the<br>
>> >> >> case you would need to disable it.<br>
>> >> >> (ethtool -k interface - will show the status)<br>
>> >> >><br>
>> >> >> ><br>
>> >> >> > John<br>
>> >> >> ><br>
>> >> >> > _______________________________________________<br>
>> >> >> > Suricata IDS Users mailing list:<br>
>> >> >> > <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
>> >> >> > Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support:<br>
>> >> >> > <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
>> >> >> > List:<br>
>> >> >> ><br>
>> >> >> > <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
>> >> >> > Training now available: <a href="http://suricata-ids.org/training/" target="_blank">http://suricata-ids.org/training/</a><br>
>> >> >><br>
>> >> >><br>
>> >> >><br>
>> >> >> --<br>
>> >> >> Regards,<br>
>> >> >> Peter Manev<br>
>> >> ><br>
>> >> ><br>
>> >><br>
>> >><br>
>> >><br>
>> >> --<br>
>> >> Regards,<br>
>> >> Peter Manev<br>
>> ><br>
>> ><br>
>><br>
>><br>
>><br>
>> --<br>
>> Regards,<br>
>> Peter Manev<br>
><br>
><br>
<br>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888">--<br>
Regards,<br>
Peter Manev<br>
</font></span></blockquote></div><br></div>