[Bro-Dev] [JIRA] (BIT-1398) PPPoE PCAP stripping laters
Seth Hall (JIRA)
jira at bro-tracker.atlassian.net
Fri Sep 4 05:33:00 PDT 2015
[ https://bro-tracker.atlassian.net/browse/BIT-1398?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Seth Hall updated BIT-1398:
---------------------------
Labels: full_packet_capture (was: )
> PPPoE PCAP stripping laters
> ---------------------------
>
> Key: BIT-1398
> URL: https://bro-tracker.atlassian.net/browse/BIT-1398
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: 2.3
> Environment: Ubuntu 12.04.5 , pf_ring
> Reporter: Jason
> Labels: full_packet_capture
>
> Recently I discovered what I believe to be a problem with Bro's packet collection of PPPoE traffic. This occurs both on the wire and when reading in PCAP.
> Here is a sample SSL session over PPPoE as captured by tcpdump:
> 12:58:27.914864568 PPPoE [ses 0x279a] IP 192.168.110.235.25095 > 192.168.162.218.443: Flags [S], seq 2317077818, win 65535, options [mss 1380,nop,wscale 9,sackOK,TS val 139402792 ecr 0], length 0
> 12:58:28.091544568 PPPoE [ses 0x279a] IP 192.168.162.218.443 > 192.168.110.235.25095: Flags [S.], seq 2303200074, ack 2317077819, win 5792, options [mss 1460,sackOK,TS val 1200789536 ecr 139402792,nop,wscale 7], length 0
> 12:58:28.092020568 PPPoE [ses 0x279a] IP 192.168.110.235.25095 > 192.168.162.218.443: Flags [.], ack 1, win 513, options [nop,nop,TS val 139402972 ecr 1200789536], length 0
> 12:58:28.092579568 PPPoE [ses 0x279a] IP 192.168.110.235.25095 > 192.168.162.218.443: Flags [P.], seq 1:257, ack 1, win 513, options [nop,nop,TS val 139402972 ecr 1200789536], length 256
> 12:58:28.268976568 PPPoE [ses 0x279a] IP 192.168.162.218.443 > 192.168.110.235.25095: Flags [.], ack 257, win 54, options [nop,nop,TS val 1200789713 ecr 139402972], length 0
> Running this capture through Bro results in a valid ssl.log:
> 1431435508.092579 C2fjf233dO59LO7sj9 192.168.110.235 25095 192.168.162.218 443 TLSv10 TLS_DHE_RSA_WITH_AES_256_CBC_SHA - some_website.com 7e710c9504f77e9fc8d18121ed965a25119c673b6b4e0a07b5bfcd5baadae534 - T - - - - --
> But the resulting PCAP coming out of Bro for the same packets looks like this:
> 12:58:27.914864256 40:00:3f:06:da:8a > 45:00:00:3c:aa:49, ethertype Unknown (0x6e36), length 82:
> 12:58:28.091544552 40:00:30:06:93:d4 > 45:00:00:3c:00:00, ethertype Unknown (0x36ec), length 82:
> 12:58:28.092020256 40:00:3f:06:da:84 > 45:00:00:34:aa:57, ethertype Unknown (0x6e36), length 74:
> 12:58:28.092579152 40:00:3f:06:d9:82 > 45:00:01:34:aa:59, ethertype Unknown (0x6e36), length 330:
> 12:58:28.268976656 40:00:30:06:00:42 > 45:00:00:34:93:9a, ethertype Unknown (0x36ec), length 74:
> Please let me know if you need any additional information.
> Jason
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-02-259#70102)
More information about the bro-dev
mailing list