[Oisf-users] Suricata erspan support impact on packet eve logging?

[Jeremy MJ]

Greetings,

I noticed that data in the packet field of the alert event in the json
eve log no longer contains any IP header information (only TCP and raw
data). I believe this may be related to erspan support, but want to be
sure before entering a ticket.

Is anyone else using erspan with suricata? Or testing a newer dev
version without erspan and logging packets to json eve log? Curious to
hear some feedback.

I'm running Suricata version 2.1dev (rev e583de0), af_packet, 1 gig erspan.

Regards,

--
Jeremy MJ