8.39. Generic Decode Layer Keywords

8.39.1. decode-event

Match on events generated by the decode layer. Decode events are generated during the packet decoding phase that indicate structural or invalid values for the Ethernet and layer 2 and layer 3 protocol data.

Syntax:

decode-event:<event name>;

Examples:

decode-event:ipv4.opt_duplicate
decode-event:ethernet.unknown_ethertype

8.39.1.1. Decode Events

8.39.1.1.1. ethernet.unknown_ethertype

The ethertype value was not recognized by Suricata. Suricata recognizes the following ethertype values:

ETHERNET_TYPE_IP
ETHERNET_TYPE_IPV6
ETHERNET_TYPE_VLAN
ETHERNET_TYPE_8021QINQ
ETHERNET_TYPE_8021AD
ETHERNET_TYPE_8021AH
ETHERNET_TYPE_ARP
ETHERNET_TYPE_MPLS_UNICAST
ETHERNET_TYPE_MPLS_MULTICAST
ETHERNET_TYPE_DCE
ETHERNET_TYPE_VNTAG
ETHERNET_TYPE_NSH
ETHERNET_TYPE_PPOE_SESS
ETHERNET_TYPE_PPOE_DISC