[Oisf-users] Packet capture dump in unified2 logs.
Nikolay Denev
ndenev at gmail.com
Thu Feb 16 13:40:20 UTC 2012
On Feb 15, 2012, at 5:03 PM, Peter Manev wrote:
>
> Ok,
> Just a couple of suggestions:
> 1. Make the MTU on the suricata box equal the MTU on the switch port where it is connected to.
I don't think this is an issue, as all of the other ports are not jumbo frames enabled, and I don't have frames bigger than 1522 bytes.
> 2. The interface that Suricata listens on (ex. eth0) , does it have all the VLANs untagged there? Or some are tagged and some untagged? Because if not - that might a problem.
>
I was wrong, there are some untagged packets, but they are mirrored LACP and LLDP frames.
All the IP traffic from the mirrored ports is QinQ tagged, with the outer tag with VLAN 0 and the inner with the actual vlan being mirrored (all the ports that I mirror have only VLAN tagged traffic)
Suricata seems to handle this OK, probably ignores the vlan tag?
> and if you could check that these two have any different effect ? ...
>
> thanks
>
> --
> Regards,
> Peter Manev
>
More information about the Oisf-users
mailing list