output: Add linktype name #11584
output: Add linktype name #11584
Conversation
Issue: 6954 This commit adds the linktype name to the output stream. The name is determined from the pcap utility function pcap_datalink_val_to_name
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #11584 +/- ##
==========================================
- Coverage 82.50% 82.49% -0.02%
==========================================
Files 923 923
Lines 248721 248724 +3
==========================================
- Hits 205215 205175 -40
- Misses 43506 43549 +43
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Information: QA ran without warnings. Pipeline 21775 |
|
I left some comments on the SV test |
Addressed in new PR: OISF/suricata-verify#2006 |
| "linktype": { | ||
| "type": "integer" | ||
| }, |
There was a problem hiding this comment.
Any thoughts on deprecating this field given its non-portable?
There was a problem hiding this comment.
How is it not portable ? (the link type in a pcap is encoded as some integer, is it not ?)
There was a problem hiding this comment.
The mapping between the linktype value and name is implementation dependent. Most of the mappings are the same but not all.
There was a problem hiding this comment.
So, when reading a pcap, we read its linktype as an integer, but if we do not know on which implementation it was captured, this linktype may mean different things, correct ?
So, still good to log the linktype as it is the thing we know from the pcap file... correct ?
There was a problem hiding this comment.
Yes; we use the pcap library on the host running Suri to interpret the linktype value
There was a problem hiding this comment.
It seems that we don't document packet_info our docs (or I couldn't find it). So I'm thinking we can add a ticket to document it, and include in the task registering this aspect of the linktype...
| }, | ||
| "linktype_name": { | ||
| "type": "string", | ||
| "description": "the descriptive name of the linktype" |
There was a problem hiding this comment.
Should the description mention the non-portability stuff ?
There was a problem hiding this comment.
#11584 (comment)
I think we should add this to our userguide 🤔
There was a problem hiding this comment.
Thanks for the work.
CI : ✅
Code : good
Commits segmentation : ok
Commit messages : ok
Git ID set : looks fine for me
CLA : you already contributed
Doc update : ok
Redmine ticket : ok, but this will not change that a DLT_RAW pcap captured on OpenBSD and read on Linux will print something wrong, right ?
Rustfmt : no rust
Tests : some nits in the SV PR, but mostly good
Dependencies added: none
|
Continued in #11670 |
Continuation of #11564
Issue: 6954
This commit adds the linktype name to the output stream. The name is determined from the pcap utility function pcap_datalink_val_to_name
Link to ticket: https://redmine.openinfosecfoundation.org/issues/6954
Describe changes:
Updates:
Provide values to any of the below to override the defaults.
SV_BRANCH=OISF/suricata-verify#2006