[Oisf-users] Packet capture dump in unified2 logs.

Peter Manev petermanev at gmail.com
Thu Feb 16 13:51:31 UTC 2012

On Thu, Feb 16, 2012 at 2:40 PM, Nikolay Denev <ndenev at gmail.com> wrote:

> On Feb 15, 2012, at 5:03 PM, Peter Manev wrote:
> >
> > Ok,
> > Just a couple of suggestions:
> > 1. Make the MTU on the suricata box equal the MTU on the switch port
> where it is connected to.
> I don't think this is an issue, as all of the other ports are not jumbo
> frames enabled, and I don't have frames bigger than 1522 bytes.
Ok, I thought you have frames bigger than that...

> > 2. The interface that Suricata listens on (ex. eth0) , does it have all
> the VLANs untagged there? Or some are tagged and some untagged? Because if
> not - that might a problem.
> >
> I was wrong, there are some untagged packets, but they are mirrored LACP
> and LLDP frames.
> All the IP traffic from the mirrored ports is QinQ tagged, with the outer
> tag with VLAN 0 and the inner with the actual vlan being mirrored (all the
> ports that I mirror have only VLAN tagged traffic)
> Suricata seems to handle this OK, probably ignores the vlan tag?
In that case the only discrepancy I see is the reported length of the
packet in Suricata and Snorby - to me it looks like Suri reports it
correctly (debug log), but Snorby does not. I can not be sure because from
what I saw as a screen shot of Snorby , the packet has the same SEQ and ACK
number - kind of strange, and the SEQ or ACK number there does not much the
one in debug log.... can you please confirm that?

>  > and if you could check that these two have any different effect ? ...
> >
> > thanks
> >
> > --
> > Regards,
> > Peter Manev
> >

Peter Manev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120216/145ff2d7/attachment-0002.html>

More information about the Oisf-users mailing list