[Bro] PPPoE Capture IP Layer Being Stripped

Jason dn1nj4 at gmail.com
Tue May 12 06:43:46 PDT 2015


Good day all,

One of my sites has all PPPoE traffic on the link I'm monitoring.  The .log
files are all generated correctly, but PCAP files end up with stripped IP
layer information.  This was easy to reproduce in bro 2.3.1 on Ubuntu by
doing:

tcpdump -nn -i ethX -w test.pcap
bro -r test.pcap -w bro.pcap

The tcpdump traffic in test.pcap looks fine, but the bro pcap comes up as
Ethernet traffic with an unknown type.

Is this a known bug?  Or is there perhaps some configuration that needs to
be changed in bro support this traffic?

Thanks in advance,
Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150512/3e9f5379/attachment.html 


More information about the Bro mailing list