[Bro-Dev] [JIRA] (BIT-1398) PPPoE PCAP stripping laters

Fri Sep 4 05:33:00 PDT 2015

     [ https://bro-tracker.atlassian.net/browse/BIT-1398?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Seth Hall updated BIT-1398:
---------------------------
    Labels: full_packet_capture  (was: )

> PPPoE PCAP stripping laters
> ---------------------------
>
>                 Key: BIT-1398
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1398
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: 2.3
>         Environment: Ubuntu 12.04.5 , pf_ring
>            Reporter: Jason
>              Labels: full_packet_capture
>
> Recently I discovered what I believe to be a problem with Bro's packet collection of PPPoE traffic.  This occurs both on the wire and when reading in PCAP.
> Here is a sample SSL session over PPPoE as captured by tcpdump:
> 12:58:27.914864568 PPPoE  [ses 0x279a] IP 192.168.110.235.25095 > 192.168.162.218.443: Flags [S], seq 2317077818, win 65535, options [mss 1380,nop,wscale 9,sackOK,TS val 139402792 ecr 0], length 0
> 12:58:28.091544568 PPPoE  [ses 0x279a] IP 192.168.162.218.443 > 192.168.110.235.25095: Flags [S.], seq 2303200074, ack 2317077819, win 5792, options [mss 1460,sackOK,TS val 1200789536 ecr 139402792,nop,wscale 7], length 0
> 12:58:28.092020568 PPPoE  [ses 0x279a] IP 192.168.110.235.25095 > 192.168.162.218.443: Flags [.], ack 1, win 513, options [nop,nop,TS val 139402972 ecr 1200789536], length 0
> 12:58:28.092579568 PPPoE  [ses 0x279a] IP 192.168.110.235.25095 > 192.168.162.218.443: Flags [P.], seq 1:257, ack 1, win 513, options [nop,nop,TS val 139402972 ecr 1200789536], length 256
> 12:58:28.268976568 PPPoE  [ses 0x279a] IP 192.168.162.218.443 > 192.168.110.235.25095: Flags [.], ack 257, win 54, options [nop,nop,TS val 1200789713 ecr 139402972], length 0
> Running this capture through Bro results in a valid ssl.log: 
> 1431435508.092579	C2fjf233dO59LO7sj9	192.168.110.235	25095	192.168.162.218	443	TLSv10	TLS_DHE_RSA_WITH_AES_256_CBC_SHA	-	some_website.com	7e710c9504f77e9fc8d18121ed965a25119c673b6b4e0a07b5bfcd5baadae534	-	T	-	-	-	-	--
> But the resulting PCAP coming out of Bro for the same packets looks like this: 
> 12:58:27.914864256 40:00:3f:06:da:8a > 45:00:00:3c:aa:49, ethertype Unknown (0x6e36), length 82: 
> 12:58:28.091544552 40:00:30:06:93:d4 > 45:00:00:3c:00:00, ethertype Unknown (0x36ec), length 82:
> 12:58:28.092020256 40:00:3f:06:da:84 > 45:00:00:34:aa:57, ethertype Unknown (0x6e36), length 74:
> 12:58:28.092579152 40:00:3f:06:d9:82 > 45:00:01:34:aa:59, ethertype Unknown (0x6e36), length 330:
> 12:58:28.268976656 40:00:30:06:00:42 > 45:00:00:34:93:9a, ethertype Unknown (0x36ec), length 74:
> Please let me know if you need any additional information.
> Jason


--
This message was sent by Atlassian JIRA
(v7.0.0-OD-02-259#70102)