output: Log ethernet type

Issue 7129 When configured with the existing "ethernet" switch, include the ether type in the output. This is most useful with anomaly records indicating unknown ethertypes.
5 months ago · cbda276aeb
parent beec1eac2f
commit cbda276aeb
2 changed files with 5 additions and 0 deletions
--- a/etc/schema.json
+++ b/etc/schema.json
@ -1744,6 +1744,10 @@
                "src_mac": {
                    "type": "string"
                },
+                "ether_type": {
+                    "type": "integer",
+                    "description": "Ethernet type value "
+                },
                "dest_macs": {
                    "type": "array",
                    "minItems": 1,
--- a/src/output-json.c
+++ b/src/output-json.c
@ -734,6 +734,7 @@ static int CreateJSONEther(
        if (PacketIsEthernet(p)) {
            const EthernetHdr *ethh = PacketGetEthernet(p);
            jb_open_object(js, "ether");
+            jb_set_uint(js, "ether_type", ethh->eth_type);
            const uint8_t *src;
            const uint8_t *dst;
            switch (dir) {