[Oisf-users] Suricata VLAN

[Christophe Vandeplas]

Hello,

I have a situation where a switch is acting 'originally' with traffic mirroring.

The mirrored traffic in inbound direction is in the native vlan, and
the outbound is in a tagged vlan.

I wonder how Suricata handles these flows.
Will it be able to reconstruct the TCP sessions correctly? Even if the
traffic is not in the same VLAN?

What would be the impact if it doesn't reconstruct the traffic?
I'm certain that some things will still work, but I'm not certain
about the real impact.


Thanks for the advice.
Christophe