Ethernet headers in pcap files generated by ulogd2

"Ririsoft" <riri@xxxxxxxxxxxx> · Mon, 09 Nov 2020 18:59:12 +0100

Hello Netfilter community,

I do not see ethernet headers in pcap files generated by ulogd2, either with tcpdump or wireshark.
I would really appreciate your help please.

I am running ulogd2 2.0.7, libnfnetlink 1.0.1, linux 4.19.152 on Debian Buster.
I am logging some broadcast traffic at netdev level :

### nftables config
table netdev filter {

  chain ingress {
    type filter hook ingress device wlp2s0 priority 0; policy accept;

    ether daddr ff:ff:ff:ff:ff:ff ether type 0x88e1 log group 1 drop 
    ether daddr ff:ff:ff:ff:ff:ff ether type < 1500 log group 1 drop
  }

}
###

my ulogd2 relevant config :

### ulogd2 config
stack=log2:NFLOG,base1:BASE,pcap1:PCAP

[log2]
group=1

[pcap1]
file="/var/log/ulog/ulogd.pcap"
sync=1
###

tcpdump -r /var/log/ulog/ulogd.pcap -e -XX

18:11:01.002914 ip: unknown ip 0
        0x0000:  0000 a000 b052 0000 0000 0000 0000 0000  .....R..........
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000                                     ..
18:11:01.002939 ip: unknown ip 0
        0x0000:  0038 a000 b052 0000 0000 0000 0000 0000  .8...R..........
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000

expected result running tcpdump in monitor mode:

tcpdump broadcast and ether proto 0x88e1
listening on wlp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:51:01.497798 60:35:c0:1a:a3:f0 (oui Unknown) > Broadcast, ethertype Unknown (0x88e1), length 64: 
        0x0000:  0000 a000 b052 0000 0000 0000 0000 0000  .....R..........
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000                                     ..
18:51:01.497818 60:35:c0:1a:a3:f0 (oui Unknown) > Broadcast, ethertype Unknown (0x88e1), length 64: 
        0x0000:  0038 a000 b052 0000 0000 0000 0000 0000  .8...R..........
        0x0010:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0020:  0000 0000 0000 0000 0000 0000 0000 0000  ................
        0x0030:  0000

This is strange to me since those headers are logged through printpkt and logemu plugins:
tail /var/log/ulog/syslogemu.log
Nov  9 18:11:01 horous  IN=wlp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:60:35:c0:1a:a3:f0:88:e1 MARK=0 
Nov  9 18:11:01 horous  IN=wlp2s0 OUT= MAC=ff:ff:ff:ff:ff:ff:60:35:c0:1a:a3:f0:88:e1 MARK=0 

Thanks in advance for your help,
Cheers,
Riri