[Bro] Offline trace: segmentation fault
vern at icir.org
Thu May 29 22:23:27 PDT 2008
> 1) Yes, if I use tcpdump -r on the trace it spits out the packets
> fine. One thing I noticed is that many of the packets are truncated
> (listed as IP truncated-ip), and the number of bytes missing is not
> homogenous between the truncated packets. Could this be the problem?
Indeed. The message is indicating an inconsistency between the link
layer framing and the IP framing. This doubtless means that the trace
conversion process has failed to construct a correct link-layer header.
When I run Bro on the trace, I get:
bro: problem with trace file test.pcap - unknown data link type 0xb
and it exits.
More information about the Bro