[Bro] PPPoE Capture IP Layer Being Stripped
dn1nj4 at gmail.com
Tue May 12 06:43:46 PDT 2015
Good day all,
One of my sites has all PPPoE traffic on the link I'm monitoring. The .log
files are all generated correctly, but PCAP files end up with stripped IP
layer information. This was easy to reproduce in bro 2.3.1 on Ubuntu by
tcpdump -nn -i ethX -w test.pcap
bro -r test.pcap -w bro.pcap
The tcpdump traffic in test.pcap looks fine, but the bro pcap comes up as
Ethernet traffic with an unknown type.
Is this a known bug? Or is there perhaps some configuration that needs to
be changed in bro support this traffic?
Thanks in advance,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro