[Oisf-users] Suricata not detecting app-layers

Tue Dec 23 15:51:53 UTC 2014

Sorry, didn't notice the TO-bar.

> Can you share a section of your 'stats.log'?
> 
> Can you record a part of the traffic and inspect it with tcpdump or wireshark to see if the span port really sends you all the packets?

Tcpdump tells me all is well, but I have to say I'm not fluent in tcpdump. I'd really like to reassemble a file from a packet dump, to be sure...

Stats.log:
-------------------------------------------------------------------
Date: 12/23/2014 -- 16:50:11 (uptime: 0d, 00h 30m 18s)
-------------------------------------------------------------------
Counter                   | TM Name                   | Value
-------------------------------------------------------------------
capture.kernel_packets    | RxPcapeth21               | 2519028
capture.kernel_drops      | RxPcapeth21               | 0
capture.kernel_ifdrops    | RxPcapeth21               | 0
dns.memuse                | RxPcapeth21               | 226
dns.memcap_state          | RxPcapeth21               | 0
dns.memcap_global         | RxPcapeth21               | 0
decoder.pkts              | RxPcapeth21               | 2519028
decoder.bytes             | RxPcapeth21               | 2519619464
decoder.invalid           | RxPcapeth21               | 0
decoder.ipv4              | RxPcapeth21               | 2499042
decoder.ipv6              | RxPcapeth21               | 52
decoder.ethernet          | RxPcapeth21               | 2519028
decoder.raw               | RxPcapeth21               | 0
decoder.sll               | RxPcapeth21               | 0
decoder.tcp               | RxPcapeth21               | 1992285
decoder.udp               | RxPcapeth21               | 299542
decoder.sctp              | RxPcapeth21               | 0
decoder.icmpv4            | RxPcapeth21               | 21445
decoder.icmpv6            | RxPcapeth21               | 30
decoder.ppp               | RxPcapeth21               | 0
decoder.pppoe             | RxPcapeth21               | 0
decoder.gre               | RxPcapeth21               | 0
decoder.vlan              | RxPcapeth21               | 0
decoder.vlan_qinq         | RxPcapeth21               | 0
decoder.teredo            | RxPcapeth21               | 22
decoder.ipv4_in_ipv6      | RxPcapeth21               | 0
decoder.ipv6_in_ipv6      | RxPcapeth21               | 0
decoder.avg_pkt_size      | RxPcapeth21               | 1000
decoder.max_pkt_size      | RxPcapeth21               | 1514
defrag.ipv4.fragments     | RxPcapeth21               | 4
defrag.ipv4.reassembled   | RxPcapeth21               | 2
defrag.ipv4.timeouts      | RxPcapeth21               | 0
defrag.ipv6.fragments     | RxPcapeth21               | 0
defrag.ipv6.reassembled   | RxPcapeth21               | 0
defrag.ipv6.timeouts      | RxPcapeth21               | 0
defrag.max_frag_hits      | RxPcapeth21               | 0
tcp.sessions              | Detect                    | 23880
tcp.ssn_memcap_drop       | Detect                    | 0
tcp.pseudo                | Detect                    | 0
tcp.invalid_checksum      | Detect                    | 0
tcp.no_flow               | Detect                    | 0
tcp.reused_ssn            | Detect                    | 0
tcp.memuse                | Detect                    | 130480
tcp.syn                   | Detect                    | 30868
tcp.synack                | Detect                    | 13691
tcp.rst                   | Detect                    | 2492
dns.memuse                | Detect                    | 0
dns.memcap_state          | Detect                    | 0
dns.memcap_global         | Detect                    | 0
tcp.segment_memcap_drop   | Detect                    | 0
tcp.stream_depth_reached  | Detect                    | 0
tcp.reassembly_memuse     | Detect                    | 0
tcp.reassembly_gap        | Detect                    | 0
http.memuse               | Detect                    | 0
http.memcap               | Detect                    | 0
detect.alert              | Detect                    | 36725
flow_mgr.closed_pruned    | FlowManagerThread         | 13867
flow_mgr.new_pruned       | FlowManagerThread         | 187930
flow_mgr.est_pruned       | FlowManagerThread         | 0
flow.memuse               | FlowManagerThread         | 7200892
flow.spare                | FlowManagerThread         | 10063
flow.emerg_mode_entered   | FlowManagerThread         | 0
flow.emerg_mode_over      | FlowManagerThread         | 0