[Oisf-users] eve.json packet field not matching traffic

[erik clark]

pf_ring. Not sure if that affects this or not

On Tue, Feb 28, 2017 at 3:30 PM, Jeremy MJ <jskier at gmail.com> wrote:

> I typically just use scapy and the base64 python module for decoding,
> although I believe eve2pcap is all python based too.
>
> What method are using to capture packets?
>
> --
> Jeremy MJ
>
>
> On Tue, Feb 28, 2017 at 2:07 PM, erik clark <philosnef at gmail.com> wrote:
> > Yeah, its very strange. We are using eve2pcap which does a great job of
> > converting it, but we noticed that some content in packet: is either
> > truncated or outright wrong...
> >
> > On Tue, Feb 28, 2017 at 2:09 PM, Jeremy MJ <jskier at gmail.com> wrote:
> >>
> >> Did you decode the base64 properly? Also, I believe the packet field
> >> is very limited with what you get in general.
> >>
> >> I don't seem to have your problem with 3.2 (feeding from rspan), but
> >> it's definitely malformed with erspan captures (Bug #1526).
> >>
> >> --
> >> Jeremy MJ
> >>
> >>
> >> On Tue, Feb 28, 2017 at 7:28 AM, erik clark <philosnef at gmail.com>
> wrote:
> >> > The content in eve.json for the packet field matches neither the
> payload
> >> > nor
> >> > the payload_printable, nor what I assume to be the other side of the
> >> > transaction...
> >> >
> >> > Wat?
> >> >
> >> > Is this expected behavior? Also, the packet appears to be highly
> >> > truncated.
> >> > This is on suri 3.2. I believe I see the same behavior on suri 3.1.3
> as
> >> > well.
> >> >
> >> > _______________________________________________
> >> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> >> > Site: http://suricata-ids.org | Support:
> >> > http://suricata-ids.org/support/
> >> > List:
> >> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >> >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170228/8942361e/attachment-0002.html>