[Bro] PPPoE Capture IP Layer Being Stripped
Jason
dn1nj4 at gmail.com
Thu May 14 00:57:18 PDT 2015
On Tue, May 12, 2015 at 12:51 PM, Jason <dn1nj4 at gmail.com> wrote:
>
> Date: Tue, 12 May 2015 10:04:56 -0600
>> From: James Lay <jlay at slave-tothe-box.net>
>> Subject: Re: [Bro] PPPoE Capture IP Layer Being Stripped
>> To: bro at bro.org
>> Message-ID: <b60c0945aa4749712ec607bdff0a435c at localhost>
>> Content-Type: text/plain; charset=US-ASCII; format=flowed
>>
>> On 2015-05-12 07:43 AM, Jason wrote:
>> > Good day all,
>> >
>> > One of my sites has all PPPoE traffic on the link I'm monitoring. The
>> > .log files are all generated correctly, but PCAP files end up with
>> > stripped IP layer information. This was easy to reproduce in bro
>> > 2.3.1 on Ubuntu by doing:
>> >
>> > tcpdump -nn -i ethX -w test.pcap
>> > bro -r test.pcap -w bro.pcap
>> >
>> > The tcpdump traffic in test.pcap looks fine, but the bro pcap comes up
>> > as Ethernet traffic with an unknown type.
>> >
>> > Is this a known bug? Or is there perhaps some configuration that
>> > needs to be changed in bro support this traffic?
>> >
>> > Thanks in advance,
>> >
>> > Jason
>> >
>>
>> I run bro on ppp0, but I don't think I've seen this issue. Have you
>> tried having bro listen on the physical interface instead?
>>
>> James
>>
>>
>> ------------------------------
>>
>> I have indeed. Live capture was where the problem was first noticed. I
> moved to an offline/tcpdump test as part of my troubleshooting to ensure
> nothing else was causing problems (link issues, PF_RING, etc).
>
Has anyone else run into these problems? Any suggestions? As far as I can
tell it's specific to bro.
Thanks again,
Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150514/6c301b8a/attachment.html
More information about the Bro
mailing list