[Bro] bro help please
Justin Azoff
JAzoff at uamail.albany.edu
Wed Apr 7 05:56:50 PDT 2010
On Wed, Apr 07, 2010 at 08:12:29AM -0400, Seth Hall wrote:
>
> On Apr 7, 2010, at 2:11 AM, vijay khadse wrote:
>
> > bro: problem with trace file /usr/local/bro/090500-0-
> > anon.pcap - unknown data link type 0x68
>
>
> The packets in tracefile are encapsulated in something strange at
> layer-2. Most commonly, the packets would be encapsulated in Ethernet
> headers (aka EN10MB). I don't know what 0x68 is.
I found them in pcap-bpf.h..
#define DLT_NULL 0 /* BSD loopback encapsulation */
#define DLT_EN10MB 1 /* Ethernet (10Mb) */
...
#define DLT_C_HDLC 104 /* Cisco HDLC */
I'm not sure why that would be..
adding support for other encapsulation types seem to just be a matter of
telling bro what the offset to the data is at the end of src/PktSrc.cc
I have no idea what the offset is for HDLC though :-)
--
-- Justin Azoff
-- Network Security & Performance Analyst
More information about the Bro
mailing list