diff --git a/src/packet_analysis/protocol/snap/SNAP.cc b/src/packet_analysis/protocol/snap/SNAP.cc
index 36bd4236a6..f09b9950b6 100644
--- a/src/packet_analysis/protocol/snap/SNAP.cc
+++ b/src/packet_analysis/protocol/snap/SNAP.cc
@@ -36,11 +36,11 @@ bool SNAPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet
     data += 5;
     len -= 5;
 
-    if ( oui == 0 ) {
-        // If the OUI is zero, the protocol is a standard ethertype and can be
-        // forwarded as such.
-        return ForwardPacket(len, data, packet, protocol);
-    }
+    // Protocol values for SNAP can differ based what OUI publishes them, so use a
+    // combination of them for the identifier used to forward.
+    int64_t identifier = oui;
+    identifier <<= 16;
+    identifier |= protocol;
 
-    return true;
+    return ForwardPacket(len, data, packet, identifier);
 }
diff --git a/testing/btest/Baseline/scripts.base.protocols.snap.snap-cdp/unknown_protocols.log b/testing/btest/Baseline/scripts.base.protocols.snap.snap-cdp/unknown_protocols.log
new file mode 100644
index 0000000000..01a7c037c7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.snap.snap-cdp/unknown_protocols.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	unknown_protocols
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	analyzer	protocol_id	first_bytes	analyzer_history
+#types	time	string	string	string	vector[string]
+XXXXXXXXXX.XXXXXX	SNAP	0xc2000	01b4dff0000100065231	ETHERNET,SNAP
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/README b/testing/btest/Traces/README
index b26ef4424b..6f9576cb71 100644
--- a/testing/btest/Traces/README
+++ b/testing/btest/Traces/README
@@ -48,3 +48,5 @@ Trace Index/Sources:
   https://zeekorg.slack.com/archives/CSZBXF6TH/p1738261449655049
 - tunnels/geneve-tagged-udp-packet.pcap
   Provided by Eldon Koyle Corelight for testing.
+- cdp-v1.pcap
+  From the Wireshark library of captures at https://wiki.wireshark.org/samplecaptures.
\ No newline at end of file
diff --git a/testing/btest/Traces/cdp-v1.pcap b/testing/btest/Traces/cdp-v1.pcap
new file mode 100644
index 0000000000..cde058b52d
Binary files /dev/null and b/testing/btest/Traces/cdp-v1.pcap differ
diff --git a/testing/btest/scripts/base/protocols/snap/snap-cdp.test b/testing/btest/scripts/base/protocols/snap/snap-cdp.test
new file mode 100644
index 0000000000..f910f38f95
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/snap/snap-cdp.test
@@ -0,0 +1,4 @@
+# @TEST-EXEC: zeek -r $TRACES/cdp-v1.pcap %INPUT
+# @TEST-EXEC: btest-diff unknown_protocols.log
+
+@load policy/misc/unknown-protocols
\ No newline at end of file