[Oisf-users] eve.json packet field not matching traffic
erik clark
philosnef at gmail.com
Tue Feb 28 20:07:09 UTC 2017
Yeah, its very strange. We are using eve2pcap which does a great job of
converting it, but we noticed that some content in packet: is either
truncated or outright wrong...
On Tue, Feb 28, 2017 at 2:09 PM, Jeremy MJ <jskier at gmail.com> wrote:
> Did you decode the base64 properly? Also, I believe the packet field
> is very limited with what you get in general.
>
> I don't seem to have your problem with 3.2 (feeding from rspan), but
> it's definitely malformed with erspan captures (Bug #1526).
>
> --
> Jeremy MJ
>
>
> On Tue, Feb 28, 2017 at 7:28 AM, erik clark <philosnef at gmail.com> wrote:
> > The content in eve.json for the packet field matches neither the payload
> nor
> > the payload_printable, nor what I assume to be the other side of the
> > transaction...
> >
> > Wat?
> >
> > Is this expected behavior? Also, the packet appears to be highly
> truncated.
> > This is on suri 3.2. I believe I see the same behavior on suri 3.1.3 as
> > well.
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170228/b022cdf0/attachment-0002.html>
More information about the Oisf-users
mailing list