wallarm · AnastasiaTWW · Mar 24, 2026
diff --git a/docs/latest/admin-en/native-node-metrics-gonode.md b/docs/latest/admin-en/native-node-metrics-gonode.md
@@ -53,6 +53,10 @@ Contains details about applied configuration and ruleset files, including format
 
 Standard process and Go runtime metrics, including resource usage (CPU, memory, network) and garbage collector statistics.
 
+### `wallarm_gonode_envoy_external_filter_*`
+
+Metrics for [Wallarm Filter for Istio Ingress](../installation/connectors/istio.md), including processed messages, gRPC stream statistics, blocked and bypassed requests.
+
 ### `wallarm_gonode_http_connector_*`
 
 Metrics related to the connector server component, covering request processing, blocked/bypassed requests, error counters, and latency.
@@ -67,7 +71,7 @@ Contains metrics related to exporting data to the postanalytics service (wstore)
 
 ### `wallarm_gonode_tcp_*`
 
-Provides metrics from the TCP packet processing pipeline, including packet and byte counters, active flows, HTTP message reconstruction statistics, and TCP-level parsing or reassembly errors.
+Provides metrics from the [TCP packet](../installation/oob/tcp-traffic-mirror/deployment.md) processing pipeline, including packet and byte counters, active flows, HTTP message reconstruction statistics, and TCP-level parsing or reassembly errors.
 
 ## Example metrics output
 
@@ -220,7 +224,6 @@ wallarm_gonode_http_connector_server_debug_container_len{type="map:responseWaitM
 wallarm_gonode_http_connector_server_errors_total{type="DroppedOnOverload"} 0
 wallarm_gonode_http_connector_server_errors_total{type="DuplicateReqId"} 0
 wallarm_gonode_http_connector_server_errors_total{type="MsgDataFormat"} 0
-wallarm_gonode_http_connector_server_errors_total{type="MsgType"} 0
 wallarm_gonode_http_connector_server_errors_total{type="MsgpackDataFormat"} 0
 wallarm_gonode_http_connector_server_errors_total{type="MsgpackDecode"} 0
 wallarm_gonode_http_connector_server_errors_total{type="NilBody"} 0
@@ -571,7 +574,7 @@ wallarm_gonode_tcp_reassembler_errors_total{type="InvalidHttpHeader"} 0
 wallarm_gonode_tcp_reassembler_errors_total{type="InvalidHttpTrailer"} 0
 wallarm_gonode_tcp_reassembler_errors_total{type="InvalidKeepaliveTimeout"} 0
 wallarm_gonode_tcp_reassembler_errors_total{type="RequestTimeout"} 0
-wallarm_gonode_tcp_reassembler_errors_total{type="ResponseBeforeRequest"} 0
+wallarm_gonode_tcp_reassembler_errors_total{type="ResponseReadyBeforeRequest"} 0
 wallarm_gonode_tcp_reassembler_errors_total{type="ResponseTimeout"} 19
 wallarm_gonode_tcp_reassembler_errors_total{type="TcpReadError"} 0
 wallarm_gonode_tcp_reassembler_errors_total{type="UnexpectedHttpBodyEnd"} 2
@@ -648,9 +651,6 @@ wallarm_gonode_tcp_stream_step_is_running 1
 # TYPE wallarm_gonode_tcp_stream_step_output_messages_total counter
 wallarm_gonode_tcp_stream_step_output_messages_total{dropped="false",msgtype="MsgGoPacket",receiver="0"} 1.2987394e+07
 wallarm_gonode_tcp_stream_step_output_messages_total{dropped="true",msgtype="MsgGoPacket",receiver="0"} 0
-# HELP wallarm_gonode_tcp_stream_tcp_packets_read_total Number of TCP packets read from the stream.
-# TYPE wallarm_gonode_tcp_stream_tcp_packets_read_total counter
-wallarm_gonode_tcp_stream_tcp_packets_read_total 1.2987394e+07
 ```
 
 <style>

diff --git a/docs/latest/installation/native-node/all-in-one-conf.md b/docs/latest/installation/native-node/all-in-one-conf.md
@@ -419,9 +419,9 @@ Maximum lifetime of a connection (e.g., `1m` for 1 minute).
 
 ## TCP mirror-specific settings
 
-### tcp_stream.from_interface.enabled (required)
+### tcp_stream.from_interface.enabled
 
-Specifies if capturing traffic from a network interface is active.
+Enables capturing traffic from a network interface. This source is one of several available traffic sources (`from_interface`, `from_vxlan`, `from_geneve`) — at least one must be enabled.
 
 Default: `false`.
 
@@ -436,9 +436,9 @@ tcp_stream:
     interface: "lo"
 ```
 
-### tcp_stream.from_interface.interface (required)
+### tcp_stream.from_interface.interface
 
-Specifies the network interface name to capture traffic from (e.g., `eth0`, `enp7s0`).
+Specifies the network interface name to capture traffic from (e.g., `eth0`, `enp7s0`). Required when `from_interface.enabled` is `true`.
 
 Default: `any`.
 
@@ -537,7 +537,31 @@ Default: `true`.
 If `tcp_stream.from_interface.promiscuous` is not set, promiscuous mode is enabled by default.
 
 !!! info "Promiscuous mode limitation"
-    Promiscuous mode does not work with [`tcp_stream.from_interface.interface`](#tcp_streamfrom_interfaceinterface-required) set to `any`.
+    Promiscuous mode does not work with [`tcp_stream.from_interface.interface`](#tcp_streamfrom_interfaceinterface) set to `any`.
+
+### tcp_stream.from_vxlan
+
+Configuration for receiving [VXLAN](https://datatracker.ietf.org/doc/html/rfc7348)-encapsulated mirrored traffic. The node listens on a UDP port and decapsulates VXLAN packets for analysis. Available [starting from version 0.24.0](../../updating-migrating/native-node/node-artifact-versions.md).
+
+| Parameter | Type | Default | Description |
+|-----------|------|---------|-------------|
+| `enabled` | bool | `false` | Enable VXLAN listener. |
+| `listen_addr` | string | `0.0.0.0:4789` | UDP address and port to listen on. |
+| `vni_filter` | list of integers | empty (all VNIs) | List of VXLAN VNIs to accept. If empty, all VNIs are accepted. |
+| `filter` | string | empty (no filter) | [BPF filter](https://biot.com/capstats/bpf.html) applied to decapsulated inner packets. |
+
+### tcp_stream.from_geneve
+
+Configuration for receiving [GENEVE](https://datatracker.ietf.org/doc/html/rfc8926)-encapsulated mirrored traffic. The node listens on a UDP port and decapsulates GENEVE packets for analysis. Supports [AWS VPC Traffic Mirroring](https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html) with nested VXLAN. Available [starting from version 0.24.0](../../updating-migrating/native-node/node-artifact-versions.md).
+
+| Parameter | Type | Default | Description |
+|-----------|------|---------|-------------|
+| `enabled` | bool | `false` | Enable GENEVE listener. |
+| `listen_addr` | string | `0.0.0.0:6081` | UDP address and port to listen on. |
+| `nested_vxlan` | bool | `false` | Enable decapsulation of nested VXLAN inside GENEVE (AWS VPC Traffic Mirroring). |
+| `vni_filter` | list of integers | empty (all VNIs) | List of outer GENEVE VNIs to accept. If empty, all VNIs are accepted. |
+| `inner_vni_filter` | list of integers | empty (all VNIs) | List of inner VXLAN VNIs to accept when `nested_vxlan` is enabled. If empty, all VNIs are accepted. |
+| `filter` | string | empty (no filter) | [BPF filter](https://biot.com/capstats/bpf.html) applied to decapsulated inner packets. |
 
 ## Envoy external filter-specific settings
 

diff --git a/docs/latest/installation/native-node/all-in-one.md b/docs/latest/installation/native-node/all-in-one.md
@@ -41,7 +41,6 @@ The machine intended for running the Native Node with the all-in-one installer m
 
 * When using the all-in-one installer in `connector-server` or `envoy_external_filter` mode, a **trusted** SSL/TLS certificate is required for the machine's domain. Self-signed certificates are not yet supported.
 * The `tcp-capture-v2` mode does not support traffic mirrored as independent, one-way streams (e.g., by some FortiGate configurations), because such traffic cannot be reliably reconstructed and HTTP request/response pairs may not be matched. `tcp-capture-v2` requires bidirectional TCP streams, with all packets from both directions captured in a single coherent flow. 
-* At the moment, the `tcp-capture-v2` mode does not support VXLAN or SPAN-mirrored traffic.
 * [Custom blocking page and blocking code](../../admin-en/configuration-guides/configure-block-page-and-code.md) configurations are not yet supported.
 * [Rate limiting](../../user-guides/rules/rate-limiting.md) by the Wallarm rule is not supported.
 
@@ -98,12 +97,6 @@ Create the `wallarm-node-conf.yaml` file on the machine with the following minim
         enabled: true
         interface: "enp7s0"
     ```
-
-    In the `tcp_stream.from_interface.interface` parameter, you specify the network interface to capture traffic from. To check network interfaces available on the host:
-
-    ```
-    ip addr show
-    ```
 === "envoy-external-filter"
     ```yaml
     version: 4

diff --git a/docs/latest/installation/oob/tcp-traffic-mirror/deployment.md b/docs/latest/installation/oob/tcp-traffic-mirror/deployment.md
@@ -14,7 +14,13 @@ Among all supported [deployment options](../../supported-deployment-options.md),
 
 This solution operates in out-of-band (OOB) mode, capturing mirrored TCP traffic directly from the network interface, independent of web servers like NGINX. The captured traffic is then parsed, reassembled, and analyzed for threats.
 
-It functions as a mirror target, seamlessly switching between multiple traffic sources. The solution supports VLAN (802.1Q) mirrored traffic without requiring VLAN tags.
+It functions as a mirror target, seamlessly switching between multiple traffic sources. The supported encapsulation formats are:
+
+* **[VLAN](https://www.ieee802.org/1/pages/802.1Q-2022.html)** (802.1Q) — captured via network interface with a BPF filter
+* **[VXLAN](https://datatracker.ietf.org/doc/html/rfc7348)** — received via a dedicated UDP listener
+* **[GENEVE](https://datatracker.ietf.org/doc/html/rfc8926)** — received via a dedicated UDP listener, including nested VXLAN for [AWS VPC Traffic Mirroring](https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html)
+
+Other encapsulation protocols (GRE, ERSPAN, SPAN, STT) are not supported.
 
 Additionally, the solution enables response mirror parsing, providing Wallarm features that rely on response data. These features include [vulnerability detection](../../../about-wallarm/detecting-vulnerabilities.md), [API discovery](../../../api-discovery/overview.md) and more.
 
@@ -33,7 +39,8 @@ Additionally, the solution enables response mirror parsing, providing Wallarm fe
     * Allowed outgoing connections to the IP addresses and their corresponding hostnames (if any) listed below. This is needed for downloading updates to attack detection rules and [API specifications](../../../api-specification-enforcement/overview.md), as well as retrieving precise IPs for your [allowlisted, denylisted, or graylisted](../../../user-guides/ip-lists/overview.md) countries, regions, or data centers
 
         --8<-- "../include/wallarm-cloud-ips.md"
-* Traffic and response mirroring must be configured with both source and target set up, and the prepared instance chosen as a mirror target. Specific environment requirements must be met, such as allowing specific protocols for traffic mirroring configurations.
+* Traffic and response mirroring must be configured with both source and target set up, and the prepared instance chosen as a mirror target.
+* The mirrored traffic must use one of the supported encapsulation formats: raw/VLAN, VXLAN, or GENEVE.
 
 ## Step 1: Prepare Wallarm token
 
@@ -84,9 +91,21 @@ In the [article](../../native-node/all-in-one-conf.md), you will find the list o
 
 It is required to specify the `tcp-capture-v2` mode in the corresponding parameter to run the solution for the TCP traffic mirror analysis.
 
-### Choosing a network interface for listening
+### Configuring the traffic source
+
+The node supports several traffic source types depending on how mirrored traffic is delivered to the machine. At least one source should be enabled. Multiple sources can run simultaneously — they operate independently and feed into the same processing pipeline.
+
+| Source | Use when | Config section |
+|--------|----------|----------------|
+| [Network interface](#network-interface-raw-or-vlan) | Traffic is mirrored at L2 level (raw or VLAN-tagged). | `tcp_stream.from_interface` |
+| [VXLAN listener](#vxlan) | Traffic is encapsulated in VXLAN. | `tcp_stream.from_vxlan` |
+| [GENEVE listener](#geneve) | Traffic is encapsulated in GENEVE, including AWS VPC Traffic Mirroring | `tcp_stream.from_geneve` |
+
+#### Network interface (raw or VLAN)
 
-To specify the network interface to capture traffic from:
+Use `tcp_stream.from_interface` to capture raw (unencapsulated) or VLAN-tagged mirrored traffic directly from a network interface.
+
+This source does **not** perform tunnel decapsulation — for VXLAN or GENEVE traffic, use the dedicated listeners below.
 
 1. Check network interfaces available on the host:
 
@@ -96,36 +115,102 @@ To specify the network interface to capture traffic from:
 
 1. Specify the network interface in the `interface` parameter.
 
-    The value must be the network interface name (e.g., `eth0`, `enp7s0`). To capture traffic on a specific port, specify a [BPF (Berkeley Packet Filter)](https://biot.com/capstats/bpf.html) expression in the `filter` parameter.
+    The value must be the network interface name (e.g., `eth0`, `enp7s0`). To filter traffic by port or VLAN, specify a [BPF (Berkeley Packet Filter)](https://biot.com/capstats/bpf.html) expression in the `filter` parameter.
 
-    ```yaml
-    version: 4
+    === "Raw traffic on a specific port"
+        ```yaml
+        version: 4
 
-    mode: tcp-capture-v2
+        mode: tcp-capture-v2
 
-    tcp_stream:
-      from_interface:
-        enabled: true
-        interface: "eth0"
-        filter: "port 80"
-    ```
+        tcp_stream:
+          from_interface:
+            enabled: true
+            interface: "eth0"
+            filter: "port 80"
+        ```
+    === "VLAN-tagged traffic"
+        ```yaml
+        version: 4
+
+        mode: tcp-capture-v2
+
+        tcp_stream:
+          from_interface:
+            enabled: true
+            interface: "eth0"
+            filter: "vlan"
+        ```
+
+#### VXLAN
 
-### Capturing VLAN
+Use `tcp_stream.from_vxlan` when mirrored traffic is encapsulated in [VXLAN](https://datatracker.ietf.org/doc/html/rfc7348). The node opens a UDP socket on the configured port, decapsulates VXLAN headers, and feeds the inner Ethernet frames into the processing pipeline.
 
-If mirrored traffic is wrapped in VLAN, you can capture it by specifying `vlan` in the `filter` parameter using a [BPF (Berkeley Packet Filter)](https://biot.com/capstats/bpf.html) expression.
+Available [starting from version 0.24.0](../../../updating-migrating/native-node/node-artifact-versions.md).
 
 ```yaml
 version: 4
 
 mode: tcp-capture-v2
 
 tcp_stream:
-  from_interface:
+  from_vxlan:
     enabled: true
-    interface: "eth0"
-    filter: "vlan"
+    listen_addr: "0.0.0.0:4789"
+    # Optional: list of VNIs to accept (empty = all VNIs)
+    vni_filter:
+      - 100
+    # Optional: BPF filter applied to the inner (decapsulated) packets
+    filter: "tcp port 80"
 ```
 
+#### GENEVE
+
+Use `tcp_stream.from_geneve` when mirrored traffic is encapsulated in [GENEVE](https://datatracker.ietf.org/doc/html/rfc8926). The node opens a UDP socket on the configured port, decapsulates GENEVE headers, and feeds the inner Ethernet frames into the processing pipeline.
+
+For [AWS VPC Traffic Mirroring](https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html), which wraps VXLAN inside GENEVE, enable the `nested_vxlan` option.
+
+Available [starting from version 0.24.0](../../../updating-migrating/native-node/node-artifact-versions.md).
+
+=== "Standard GENEVE"
+    ```yaml
+    version: 4
+
+    mode: tcp-capture-v2
+
+    tcp_stream:
+      from_geneve:
+        enabled: true
+        listen_addr: "0.0.0.0:6081"
+        # Optional: list of VNIs to accept (empty = all VNIs)
+        vni_filter:
+          - 100
+        # Optional: BPF filter applied to the inner (decapsulated) packets
+        filter: "tcp port 443"
+    ```
+=== "AWS VPC Traffic Mirroring (GENEVE + nested VXLAN)"
+    AWS VPC Traffic Mirroring wraps VXLAN inside GENEVE. Enable `nested_vxlan` to handle this format:
+
+    ```yaml
+    version: 4
+
+    mode: tcp-capture-v2
+
+    tcp_stream:
+      from_geneve:
+        enabled: true
+        listen_addr: "0.0.0.0:6081"
+        nested_vxlan: true
+        # Optional: filter by outer Geneve VNI
+        vni_filter:
+          - 100
+        # Optional: filter by inner VXLAN VNI
+        inner_vni_filter:
+          - 200
+        # Optional: BPF filter applied to the inner (decapsulated) packets
+        filter: "tcp port 443"
+    ```
+
 ### Identifying the original client IP and host headers
 
 When traffic passes through proxies or load balancers, they often replace the original client IP address and `Host` header with their own values. To preserve the original information, such intermediaries typically add HTTP headers like `X-Forwarded-For`, `X-Real-IP`, or `X-Forwarded-Host`.
@@ -279,5 +364,4 @@ For additional debugging, set the [`log.level`](../../native-node/all-in-one-con
     * [Rate limiting](../../../user-guides/rules/rate-limiting.md) is not supported as it is impossible to limit load on target servers.
     * [Filtering by IP addresses](../../../user-guides/ip-lists/overview.md) is not supported.
 * The solution analyzes only unencrypted HTTP traffic over raw TCP, not encrypted HTTPS traffic.
-* At the moment, the solution does not support VXLAN or SPAN-mirrored traffic.
 * The solution does not support traffic mirrored as independent, one-way streams (e.g., by some FortiGate configurations), because such traffic cannot be reliably reconstructed and HTTP request/response pairs may not be matched. `tcp-capture-v2` requires bidirectional TCP streams, with all packets from both directions captured in a single coherent flow. 
diff --git a/docs/latest/updating-migrating/native-node/node-artifact-versions.md b/docs/latest/updating-migrating/native-node/node-artifact-versions.md
@@ -10,6 +10,57 @@ History of all-in-one installer updates simultaneously applies to it's x86_64 an
 
 [How to upgrade](all-in-one.md)
 
+### 0.24.0 (TBD)
+
+* [TCP traffic mirror analysis](../../installation/oob/tcp-traffic-mirror/deployment.md) (`tcp-capture-v2` mode):
+
+    * Added support for [VXLAN](../../installation/oob/tcp-traffic-mirror/deployment.md#vxlan) and [GENEVE](../../installation/oob/tcp-traffic-mirror/deployment.md#geneve) decapsulation, including support for [AWS VPC Traffic Mirroring](https://docs.aws.amazon.com/vpc/latest/mirroring/what-is-traffic-mirroring.html) via `nested_vxlan`
+    * Added new configuration parameters: [`tcp_stream.from_vxlan`](../../installation/native-node/all-in-one-conf.md#tcp_streamfrom_vxlan) and [`tcp_stream.from_geneve`](../../installation/native-node/all-in-one-conf.md#tcp_streamfrom_geneve) for receiving encapsulated mirrored traffic
+    * Fixed issues that caused missing and unanalyzed requests, incorrect response-to-request association, and VLAN ID mishandling
+    * Fixed incorrect reassembly of interlaced packets captured from multiple interfaces in promiscuous mode
+* Fixed minor stability and reliability issues
+* Updated [Prometheus metrics](../../admin-en/native-node-metrics-gonode.md):
+
+    | Change | Metric |
+    |--------|--------|
+    | New | `wallarm_gonode_tcp_stream_input_packets_total{source=…}` |
+    | New | `wallarm_gonode_tcp_stream_input_bytes_total{source=…}` |
+    | New | `wallarm_gonode_tcp_stream_output_packets_total` |
+    | New | `wallarm_gonode_tcp_stream_output_bytes_total` |
+    | New | `wallarm_gonode_tcp_stream_packets_rejected_total{reason=…}` |
+    | New | `wallarm_gonode_tcp_stream_bytes_rejected_total{reason=…}` |
+    | New | `wallarm_gonode_tcp_reassembler_http_decode_bytes_decoded_total` |
+    | New | `wallarm_gonode_tcp_reassembler_http_flow_bytes_rejected_total` |
+    | New | `wallarm_gonode_tcp_reassembler_container_is_overloaded` |
+    | New | `wallarm_gonode_tcp_reassembler_http_unpaired_messages` |
+    | New | `wallarm_gonode_tcp_stream_diag_interface_counters_total` |
+    | New | `wallarm_gonode_tcp_stream_errors_total` (Geneve/VXLAN error types) |
+    | New | `wallarm_gonode_envoy_external_filter_requests_blocked_total` |
+    | Changed | `wallarm_gonode_tcp_stream_diag_interface_info` — now only reports MTU; I/O counters moved to `diag_interface_counters_total` |
+    | Renamed | `…errors_total{type="ResponseBeforeRequest"}` → `…{type="ResponseReadyBeforeRequest"}` |
+    | Removed | `wallarm_gonode_tcp_stream_tcp_packets_read_total` |
+    | Removed | `wallarm_gonode_http_connector_server_errors_total{type="MsgType"}` |
+
+
+<!-- 
+
+уже было:
+
+Bug
+NODE-7099
+Aggregation/WCLI Container is crash looping on US 43330 due to OOM
+Critical
+Resolved
+
+Task
+NODE-7548
+Bump base AIO version to 6.10.3 in go-node
+Normal
+RELEASING -->
+
+
+
+
 ### 0.23.1 (2026-03-19)
 
 * Fixed a memory leak in the [API Specification Enforcement](../../api-specification-enforcement/overview.md) component that caused steadily increasing memory consumption and eventual OOMKill pod restarts