[Oisf-users] MPLS support
MichaĆ D
michu162 at gmail.com
Mon Oct 10 14:21:06 UTC 2016
Hello,
In suricata 3.1.1 how to enable/configure mpls support?
I use pcap mode just for logging http requests. For interfaces where I
receive copy of IP traffic it works well, but for other one where I have
MPLS traffic (single or double tag) I don't have any entries in http.log
run with:
/usr/bin/suricata -c /etc/suricata/suricata.yaml --disable-detection
--pidfile /var/run/suricata.pid --pcap=eth6 -D -vvv
>>> iface-stat eth6
Success:
{
"drop": 88596,
"invalid-checksums": 0,
"pkts": 23139042
}
# tcpdump -i eth6 -nn -c 1
16:09:52.788799 MPLS (label 299920, exp 0, ttl 254) (label 16, exp 0, [S],
ttl 254) IP xxx.xxx.xxx.xxx.60842 > xxx.xxx.xxx.xxx.80: Flags [.], ack
1736707743, win 65535, length 0
# service suricata start
Starting suricata in IDS (pcap) mode... done.
root at s50873:/var/log/suricata# tail: suricata.log: file truncated
10/10/2016 -- 16:19:34 - <Notice> - This is Suricata version 3.1.1 RELEASE
10/10/2016 -- 16:19:34 - <Info> - CPUs/cores online: 12
10/10/2016 -- 16:19:34 - <Info> - Protocol detection and parser disabled
for tls protocol
10/10/2016 -- 16:19:34 - <Info> - Protocol detection and parser disabled
for smb protocol.
10/10/2016 -- 16:19:34 - <Info> - Protocol detection and parser disabled
for dcerpc protocol.
10/10/2016 -- 16:19:34 - <Info> - Protocol detection and parser disabled
for dcerpc protocol.
10/10/2016 -- 16:19:34 - <Info> - Parsed disabled for ftp protocol.
Protocol detectionstill on.
10/10/2016 -- 16:19:34 - <Info> - Protocol detection and parser disabled
for smtp protocol.
10/10/2016 -- 16:19:34 - <Info> - Found an MTU of 1500 for 'eth6'
10/10/2016 -- 16:19:34 - <Info> - eve-log output device (regular)
initialized: http.json
10/10/2016 -- 16:19:34 - <Notice> - JsonTlsLog logger not enabled: protocol
tls is disabled
10/10/2016 -- 16:19:34 - <Info> - eve-log output device (regular)
initialized: dns.json
10/10/2016 -- 16:19:34 - <Info> - stats output device (regular)
initialized: stats.log
10/10/2016 -- 16:19:34 - <Info> - Going to use 3 thread(s)
10/10/2016 -- 16:19:34 - <Info> - using interface eth6
10/10/2016 -- 16:19:34 - <Info> - Found an MTU of 1500 for 'eth6'
10/10/2016 -- 16:19:34 - <Info> - Set snaplen to 1524 for 'eth6'
10/10/2016 -- 16:19:34 - <Info> - using interface eth6
10/10/2016 -- 16:19:34 - <Info> - Found an MTU of 1500 for 'eth6'
10/10/2016 -- 16:19:34 - <Info> - Set snaplen to 1524 for 'eth6'
10/10/2016 -- 16:19:34 - <Info> - using interface eth6
10/10/2016 -- 16:19:34 - <Info> - Found an MTU of 1500 for 'eth6'
10/10/2016 -- 16:19:34 - <Info> - Set snaplen to 1524 for 'eth6'
10/10/2016 -- 16:19:34 - <Info> - RunModeIdsPcapWorkers initialised
10/10/2016 -- 16:19:34 - <Notice> - all 3 packet processing threads, 4
management threads initialized, engine started.
# service suricata stop
Stopping suricata: 10/10/2016 -- 16:19:09 - <Notice> - Signal Received.
Stopping engine.
Waiting . . . . 10/10/2016 -- 16:19:18 - <Info> - time elapsed 225.428s
. . 10/10/2016 -- 16:19:22 - <Info> - (W#01-eth6) Packets 29693283, bytes
7721919854
10/10/2016 -- 16:19:22 - <Info> - (W#01-eth6) Pcap Total:31829666
Recv:29698732 Drop:2130934 (6.7%).
10/10/2016 -- 16:19:22 - <Info> - (W#02-eth6) Packets 29347449, bytes
7639472868
10/10/2016 -- 16:19:22 - <Info> - (W#02-eth6) Pcap Total:31844856
Recv:29352937 Drop:2491919 (7.8%).
10/10/2016 -- 16:19:22 - <Info> - (W#03-eth6) Packets 28579990, bytes
7440600831
10/10/2016 -- 16:19:22 - <Info> - (W#03-eth6) Pcap Total:31837384
Recv:28585444 Drop:3251940 (10.2%).
10/10/2016 -- 16:19:23 - <Notice> - Stats for 'eth6': pkts: 87620722,
drop: 1367385 (1.56%), invalid chksum: 0
Regards,
Michal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20161010/30ea87d2/attachment.html>
More information about the Oisf-users
mailing list