From: Jeff Lucovsky <jlucovsky@oisf.net>
Date: Tue, 1 Oct 2024 13:19:25 +0000 (-0400)
Subject: output: Log ethernet type
X-Git-Tag: suricata-8.0.0-beta1~477
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F12514%2Fhead;p=thirdparty%2Fsuricata.git

output: Log ethernet type

Issue 7129

When configured with the existing "ethernet" switch, include the ether
type in the output.

This is most useful with anomaly records indicating unknown ethertypes.
---

diff --git a/etc/schema.json b/etc/schema.json
index d14ddbcf67..3a877aabb9 100644
--- a/etc/schema.json
+++ b/etc/schema.json
@@ -1744,6 +1744,10 @@
                 "src_mac": {
                     "type": "string"
                 },
+                "ether_type": {
+                    "type": "integer",
+                    "description": "Ethernet type value "
+                },
                 "dest_macs": {
                     "type": "array",
                     "minItems": 1,
diff --git a/src/output-json.c b/src/output-json.c
index 2880a25d87..0109a1c5ee 100644
--- a/src/output-json.c
+++ b/src/output-json.c
@@ -734,6 +734,7 @@ static int CreateJSONEther(
         if (PacketIsEthernet(p)) {
             const EthernetHdr *ethh = PacketGetEthernet(p);
             jb_open_object(js, "ether");
+            jb_set_uint(js, "ether_type", ethh->eth_type);
             const uint8_t *src;
             const uint8_t *dst;
             switch (dir) {