Ahoj,
Dňa Mon, 3 Mar 2025 23:03:34 +0100 Florian Westphal <fw@xxxxxxxxx>
napísal:
> Can you test and report back if this works?
> I have no idea what I am doing as I don't use ulogd.
I had more luck ;-)
Basically it works. At first attempt i got nothing in GPRINT file, and
in journal i found:
ulogd[2879765]: Unknown protocol family
ulogd[2879765]: error during propagate_results
Then i found, that this error comes from IP2STR, thus i shrink stack to
(IMO it has to silently skip it to i don't need separate stack for ARP):
stack=log2a:NFLOG,base1:BASE,ifi1:IFINDEX,mac2str1:HWHDR,gp1:GPRINT
That "solves" the "Unknown protocol family" problem and packets are
logged with ARP entries (beside others):
arp.hwtype=1,
arp.protocoltype=2048,
arp.operation=1,
arp.saddr=158.160.47.125,
arp.daddr=168.160.47.125,
Big **but** is, that the values of "arp.[ds]addr" are wrong, these IPs
as captured by tcpdump:
ARP, Request who-has 192.168.10.254 tell 192.168.10.15, length 28
Another (less important) point, the field:
oob.protocol=2054
is three times in one log line with that stack.
That is all, what i noticed yet...
regards
--
Slavko
https://www.slavino.sk
