[Oisf-users] eve.json packet field not matching traffic

Jeremy MJ jskier at gmail.com
Tue Feb 28 19:09:55 UTC 2017


Did you decode the base64 properly? Also, I believe the packet field
is very limited with what you get in general.

I don't seem to have your problem with 3.2 (feeding from rspan), but
it's definitely malformed with erspan captures (Bug #1526).

--
Jeremy MJ


On Tue, Feb 28, 2017 at 7:28 AM, erik clark <philosnef at gmail.com> wrote:
> The content in eve.json for the packet field matches neither the payload nor
> the payload_printable, nor what I assume to be the other side of the
> transaction...
>
> Wat?
>
> Is this expected behavior? Also, the packet appears to be highly truncated.
> This is on suri 3.2. I believe I see the same behavior on suri 3.1.3 as
> well.
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>



More information about the Oisf-users mailing list