Solution:
Edit suricata-4.0.3/src/source-af-packet.c. I changed default datalink type to raw. That solved my problem.
suricata-4.0.3/src/source-af-packet.c:
2295 TmEcode DecodeAFP(ThreadVars *tv, Packet *p, void *data, PacketQueue *pq, PacketQueue *postpq)
2296 {
2297 SCEnter();
2298 DecodeThreadVars *dtv = (DecodeThreadVars *)data;
2299
2300 /* XXX HACK: flow timeout can call us for injected pseudo packets
2301 * see bug: https://redmine.openinfosecfoundation.org/issues/1107 */
2302 if (p->flags & PKT_PSEUDO_STREAM_END)
2303 return TM_ECODE_OK;
2304
2305 /* update counters */
2306 DecodeUpdatePacketCounters(tv, dtv, p);
2307
2308 /* If suri has set vlan during reading, we increase vlan counter */
2309 if (p->vlan_idx) {
2310 StatsIncr(tv, dtv->counter_vlan);
2311 }
2312
2313 /* call the decoder */
2314 switch (p->datalink) {
2315 case LINKTYPE_ETHERNET:
2316 DecodeEthernet(tv, dtv, p,GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2317 break;
2318 case LINKTYPE_LINUX_SLL:
2319 DecodeSll(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2320 break;
2321 case LINKTYPE_PPP:
2322 DecodePPP(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2323 break;
2324 case LINKTYPE_RAW:
2325 DecodeRaw(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2326 break;
2327 case LINKTYPE_NULL:
2328 DecodeNull(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2329 break;
2330 default:
2331 // SCLogError(SC_ERR_DATALINK_UNIMPLEMENTED, "Error: datalink type %" PRId32 " not yet supported in module DecodeAFP", p->datalink);
2332 // DecodePPP(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2333 DecodeRaw(tv, dtv, p, GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2334 // DecodeEthernet(tv, dtv, p,GET_PKT_DATA(p), GET_PKT_LEN(p), pq);
2335 break;
2336 }
No comments:
Post a Comment