Vlan data in Moloch - Githubissues

StamusNetworks / SELKS

A Suricata based IDS/IPS/NSM distro

https://www.stamus-networks.com/open-source/#selks

GNU General Public License v3.0

1.46k stars 286 forks source link

Vlan data in Moloch #178

Open MartinsZB opened 5 years ago

MartinsZB commented 5 years ago

Hi! I can not find VLAN information when using Moloch viewer, although when I check the data in Kibana, the VLAN information is present. Do I miss some config? Thanks.

pevma commented 5 years ago

Hi,

Moloch should have it I think. When you export a pcap from the Moloch viewer - after you open it with let’s say wireshark - do you see the vlan tags?

Thank you

On 13 Apr 2019, at 01:33, Martins Zabarovskis notifications@github.com wrote:

Hi! I can not find VLAN information when using Moloch viewer, although when I check the data in Kibana, the VLAN information is present. Do I miss some config? Thanks.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

MartinsZB commented 5 years ago

Hi pevma,

Looks like it is not there. Kibana definitely show the Vlan tag. KIbana In Moloch I can not find it: moloch Also if I search for Vlan, there is no results: moloch2 Downloaded pcap also do not have vlan tag: wireshark

pevma commented 5 years ago

Quick point to check if possible. Do you have the vlan tag in the raw pcaps? For example depending on the set up option you have chosen - the pcaps would be either in /data/nsm and/or in /data/moloch/raw/ ?

MartinsZB commented 5 years ago

Hi pevma, I did a test today. Get the Moloch pcap from /data/moloch/raw/, then also one Suricata, from /data/nsm and did one with tcpdump, directly from my mirror interface. In tcpdump pcap 83% have vlan tag (eth.type == 0x8100) In both Moloch and Suricata pcaps the vlan tag is removed and all packets are simple IPv4 eth.type == 0x0800

So looks like Suricata is reading VLAN data but not storing it in pcaps?

pevma commented 5 years ago

It does look like a bug. It seems af-packet strips the fields. One more request - Could you please read a pcap (any pcap) that has vlans in it (suricata -k none -r vlan.pcap - that's it :) ) and then cross reference that the written to disk pcap from Suricata (in /data/nsm is ) has stripped the vlans ? Couold you then please post a bug report here - https://redmine.openinfosecfoundation.org/projects/suricata/issues with the relevant details from here?

MartinsZB commented 5 years ago

ok. If I load the pcap in Suricata, the VLAN tags are preserved and not stripped out. Moloch managed to catch the pcap and can recognize the VLANs. Stopped Suricata, changed pcap path and run suricata -k none -r vlan_test.pcap --runmode single , opened the log pcap and find the VLAN information untouched.

pevma commented 5 years ago

@MartinsZB - could you please open a bug report with that info on Suricata's redmine please?

pevma commented 5 years ago

Thank you for all the testing!

pevma commented 5 years ago

https://redmine.openinfosecfoundation.org/issues/2934