[Bro] PPPoE Capture IP Layer Being Stripped
jlay at slave-tothe-box.net
Thu May 14 04:06:52 PDT 2015
On Thu, 2015-05-14 at 03:57 -0400, Jason wrote:
> On Tue, May 12, 2015 at 12:51 PM, Jason <dn1nj4 at gmail.com> wrote:
> Date: Tue, 12 May 2015 10:04:56 -0600
> From: James Lay <jlay at slave-tothe-box.net>
> Subject: Re: [Bro] PPPoE Capture IP Layer Being
> To: bro at bro.org
> <b60c0945aa4749712ec607bdff0a435c at localhost>
> Content-Type: text/plain; charset=US-ASCII;
> On 2015-05-12 07:43 AM, Jason wrote:
> > Good day all,
> > One of my sites has all PPPoE traffic on the link
> I'm monitoring. The
> > .log files are all generated correctly, but PCAP
> files end up with
> > stripped IP layer information. This was easy to
> reproduce in bro
> > 2.3.1 on Ubuntu by doing:
> > tcpdump -nn -i ethX -w test.pcap
> > bro -r test.pcap -w bro.pcap
> > The tcpdump traffic in test.pcap looks fine, but the
> bro pcap comes up
> > as Ethernet traffic with an unknown type.
> > Is this a known bug? Or is there perhaps some
> configuration that
> > needs to be changed in bro support this traffic?
> > Thanks in advance,
> > Jason
> I run bro on ppp0, but I don't think I've seen this
> issue. Have you
> tried having bro listen on the physical interface
> I have indeed. Live capture was where the problem was first
> noticed. I moved to an offline/tcpdump test as part of my
> troubleshooting to ensure nothing else was causing problems
> (link issues, PF_RING, etc).
> Has anyone else run into these problems? Any suggestions? As far as
> I can tell it's specific to bro.
> Thanks again,
> Bro mailing list
> bro at bro-ids.org
At this stage I would file a bug report.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro