[Oisf-users] ICMPv4 vs ICMPv6 reporting
Brad Kingsbury
bradkingsbury at gmail.com
Fri Jun 2 16:06:47 UTC 2017
Peter,
I figured out the issue. In the procedure called "DecodeICMPV4()", there
needs to be a call to "FlowSetupPacket(p);", in order to add this packet to
the flow manager. I figured it out by looking at the source code in the
procedure called "DecodeICMPV6() and "DecodeICMPV4()".
Once I added this, both ICMPv4 and ICMPv6 were tracking ping
requests/replies flows correctly, and in the same manner.
Thanks,
Brad
On Fri, Jun 2, 2017 at 8:11 AM, Peter Manev <petermanev at gmail.com> wrote:
> On Wed, May 31, 2017 at 1:57 AM, Brad Kingsbury <bradkingsbury at gmail.com>
> wrote:
> > I'm trying to get JSON outputs for ICMPv4 and ICMPv6 flows.
> >
> > When I have Suricata process a simple ping (request/reply -- 2 packets)
> for
> > both ICMPv4 and ICMPv6, they generate different outputs in the EVE.JSON
> > file.
> >
> > ICMPv6 displays the details, including the ICMP code/type, about the
> > flow/netflow, but for ICMPv4, no flow info is displayed whatsoever. The
> > ICMPv4 packets are detected as ICMPv4 packets, based upon the summary
> line,
> > but I can't see the code/type.
>
> Is it possible to share some logs/pcap to reproduce this?
>
> >
> > Anyway to see the code/type from the ICMPv4 flows/netflows?
> >
> > Thanks,
> > Brad
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >
>
>
>
> --
> Regards,
> Peter Manev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170602/a1d75af2/attachment-0002.html>
More information about the Oisf-users
mailing list