[Oisf-devel] Adding New Protocol Support for Suricata

Victor Julien victor at inliniac.net
Tue May 15 11:30:06 UTC 2012

On 05/14/2012 12:01 PM, Prabhakaran Kasinathan wrote:
> Dear Developer's,
> I am doing my master of science thesis at Politecnico di torino, Italy.
> My thesis concentrates on developing an efficient intrusion detection
> system for Wireless Sensor Networks. Basically concentrating on the
> protocols (* IEEE 802.15.4, 6LoWPAN *and its application level
> protocol *COAP(Http)* ) . I have been trying to analyse SNORT and
> SURICATA ( Both doesnt support decoding these protocols ). Found
> SURICATA has some better capabilities, hence decided to work with this.
> But to start with I have some problems.
> Problem:
>   * Currently I have an sensor node which sniff the IEEE 802.15.4
>     traffic and forward them to a virtual Interface ( TUN/TAP ). 
>   * I tried to run Suricata on that interface , I got the error
>     8/5/2012 -- 17:02:56 - <Error> - [ERRCODE:
>     SC_ERR_DATALINK_UNIMPLEMENTED(38)] - Error: datalink type 195 not
>     yet supported in module DecodePcap
> Question:
>   * How to add support for this datalink type in DecodePcap?

Check the DecodePcap function in source-pcap.c. Currently Linux SLL,
Ethernet, Raw and PPP are supported there.

>   * How to develop decoder for a new protocol? // /Better to have some
>     examples,tutorials./

I agree that would be useful. Until we have that, please have a look at
a decoder like the one for ethernet in decode-ethernet.c

>   * Wireshark can dissect almost all the protocols which I need. Is
>     there any way we can use it for developing decoder for Suricata?

Only as a reference. There is no way to directly use it in Suricata.

> It would be a great help for me to start and contribute for this
> opensource community through my thesis.

I agree that would be nice! Feel free to ask more questions, thats what
this list if for!


Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-devel mailing list