doc/userguide/rules/decode-layer.rst
Match on events generated by the decode layer. Decode events are generated during the packet decoding phase that indicate structural or invalid values for the Ethernet and layer 2 and layer 3 protocol data.
Syntax::
decode-event:<event name>;
Examples::
decode-event:ipv4.opt_duplicate
decode-event:ethernet.unknown_ethertype
Decode Events
ethernet.unknown_ethertype
^^^^^^^^^^^^^^^^^^^^^^^^^^
The ethertype value was not recognized by Suricata. Suricata recognizes
the following ethertype values::
ETHERNET_TYPE_IP
ETHERNET_TYPE_IPV6
ETHERNET_TYPE_VLAN
ETHERNET_TYPE_8021QINQ
ETHERNET_TYPE_8021AD
ETHERNET_TYPE_8021AH
ETHERNET_TYPE_ARP
ETHERNET_TYPE_MPLS_UNICAST
ETHERNET_TYPE_MPLS_MULTICAST
ETHERNET_TYPE_DCE
ETHERNET_TYPE_ETAG
ETHERNET_TYPE_VNTAG
ETHERNET_TYPE_NSH
ETHERNET_TYPE_PPOE_SESS
ETHERNET_TYPE_PPOE_DISC