[Bro] PPPoE Capture IP Layer Being Stripped

James Lay jlay at slave-tothe-box.net
Tue May 12 09:04:56 PDT 2015


On 2015-05-12 07:43 AM, Jason wrote:
> Good day all,
> 
> One of my sites has all PPPoE traffic on the link I'm monitoring.  The
> .log files are all generated correctly, but PCAP files end up with
> stripped IP layer information.  This was easy to reproduce in bro
> 2.3.1 on Ubuntu by doing:
> 
> tcpdump -nn -i ethX -w test.pcap
> bro -r test.pcap -w bro.pcap
> 
> The tcpdump traffic in test.pcap looks fine, but the bro pcap comes up
> as Ethernet traffic with an unknown type.
> 
> Is this a known bug?  Or is there perhaps some configuration that
> needs to be changed in bro support this traffic?
> 
> Thanks in advance,
> 
> Jason
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

I run bro on ppp0, but I don't think I've seen this issue.  Have you 
tried having bro listen on the physical interface instead?

James


More information about the Bro mailing list