[Oisf-users] Suricata erspan support impact on packet eve logging?

Jeremy MJ jskier at gmail.com
Thu Jul 30 16:19:11 UTC 2015


I noticed that data in the packet field of the alert event in the json
eve log no longer contains any IP header information (only TCP and raw
data). I believe this may be related to erspan support, but want to be
sure before entering a ticket.

Is anyone else using erspan with suricata? Or testing a newer dev
version without erspan and logging packets to json eve log? Curious to
hear some feedback.

I'm running Suricata version 2.1dev (rev e583de0), af_packet, 1 gig erspan.


Jeremy MJ

More information about the Oisf-users mailing list