[Oisf-users] ICMPv4 vs ICMPv6 reporting
Peter Manev
petermanev at gmail.com
Mon Jun 5 11:56:19 UTC 2017
On Fri, Jun 2, 2017 at 7:06 PM, Brad Kingsbury <bradkingsbury at gmail.com> wrote:
> Peter,
>
> I figured out the issue. In the procedure called "DecodeICMPV4()", there
> needs to be a call to "FlowSetupPacket(p);", in order to add this packet to
> the flow manager. I figured it out by looking at the source code in the
> procedure called "DecodeICMPV6() and "DecodeICMPV4()".
>
> Once I added this, both ICMPv4 and ICMPv6 were tracking ping
> requests/replies flows correctly, and in the same manner.
>
Do you mind doing a PR - so it could be reviewed and potentially
included in the master?
> Thanks,
> Brad
>
> On Fri, Jun 2, 2017 at 8:11 AM, Peter Manev <petermanev at gmail.com> wrote:
>>
>> On Wed, May 31, 2017 at 1:57 AM, Brad Kingsbury <bradkingsbury at gmail.com>
>> wrote:
>> > I'm trying to get JSON outputs for ICMPv4 and ICMPv6 flows.
>> >
>> > When I have Suricata process a simple ping (request/reply -- 2 packets)
>> > for
>> > both ICMPv4 and ICMPv6, they generate different outputs in the EVE.JSON
>> > file.
>> >
>> > ICMPv6 displays the details, including the ICMP code/type, about the
>> > flow/netflow, but for ICMPv4, no flow info is displayed whatsoever. The
>> > ICMPv4 packets are detected as ICMPv4 packets, based upon the summary
>> > line,
>> > but I can't see the code/type.
>>
>> Is it possible to share some logs/pcap to reproduce this?
>>
>> >
>> > Anyway to see the code/type from the ICMPv4 flows/netflows?
>> >
>> > Thanks,
>> > Brad
>> >
>> > _______________________________________________
>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> > Site: http://suricata-ids.org | Support:
>> > http://suricata-ids.org/support/
>> > List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> >
>>
>>
>>
>> --
>> Regards,
>> Peter Manev
>
>
--
Regards,
Peter Manev
More information about the Oisf-users
mailing list