output: Log ethernet type

Issue 7129

When configured with the existing "ethernet" switch, include the ether
type in the output.

This is most useful with anomaly records indicating unknown ethertypes.

diff --git a/etc/schema.json b/etc/schema.json
index d14ddbcf67226d36823d51fd858afcdcf4f46eb7..3a877aabb96ed9e0759934df62d4dfc65858d934 100644 (file)
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -1744,6 +1744,10 @@
                 "src_mac": {
                     "type": "string"
                 },
+                "ether_type": {
+                    "type": "integer",
+                    "description": "Ethernet type value "
+                },
                 "dest_macs": {
                     "type": "array",
                     "minItems": 1,

diff --git a/src/output-json.c b/src/output-json.c
index 2880a25d87f91eb655a5bd152480c1ec4aeda86b..0109a1c5ee5617f28e342de3477c45afc998332d 100644 (file)
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -734,6 +734,7 @@ static int CreateJSONEther(
         if (PacketIsEthernet(p)) {
             const EthernetHdr *ethh = PacketGetEthernet(p);
             jb_open_object(js, "ether");
+            jb_set_uint(js, "ether_type", ethh->eth_type);
             const uint8_t *src;
             const uint8_t *dst;
             switch (dir) {