[Bro] PPPoE Capture IP Layer Being Stripped

James Lay jlay at slave-tothe-box.net
Thu May 14 04:06:52 PDT 2015 

On Thu, 2015-05-14 at 03:57 -0400, Jason wrote:
> On Tue, May 12, 2015 at 12:51 PM, Jason <dn1nj4 at gmail.com> wrote:
> 
>         
>         
>                 Date: Tue, 12 May 2015 10:04:56 -0600
>                 From: James Lay <jlay at slave-tothe-box.net>
>                 Subject: Re: [Bro] PPPoE Capture IP Layer Being
>                 Stripped
>                 To: bro at bro.org
>                 Message-ID:
>                 <b60c0945aa4749712ec607bdff0a435c at localhost>
>                 Content-Type: text/plain; charset=US-ASCII;
>                 format=flowed
>                 
>                 On 2015-05-12 07:43 AM, Jason wrote:
>                 > Good day all,
>                 >
>                 > One of my sites has all PPPoE traffic on the link
>                 I'm monitoring.  The
>                 > .log files are all generated correctly, but PCAP
>                 files end up with
>                 > stripped IP layer information.  This was easy to
>                 reproduce in bro
>                 > 2.3.1 on Ubuntu by doing:
>                 >
>                 > tcpdump -nn -i ethX -w test.pcap
>                 > bro -r test.pcap -w bro.pcap
>                 >
>                 > The tcpdump traffic in test.pcap looks fine, but the
>                 bro pcap comes up
>                 > as Ethernet traffic with an unknown type.
>                 >
>                 > Is this a known bug?  Or is there perhaps some
>                 configuration that
>                 > needs to be changed in bro support this traffic?
>                 >
>                 > Thanks in advance,
>                 >
>                 > Jason
>                 >
>                 
>                 I run bro on ppp0, but I don't think I've seen this
>                 issue.  Have you
>                 tried having bro listen on the physical interface
>                 instead?
>                 
>                 James
>                 
>                 
>                 ------------------------------
>                 
>         
>         I have indeed.  Live capture was where the problem was first
>         noticed.  I moved to an offline/tcpdump test as part of my
>         troubleshooting to ensure nothing else was causing problems
>         (link issues, PF_RING, etc).
>         
> 
> 
> 
> Has anyone else run into these problems?  Any suggestions?  As far as
> I can tell it's specific to bro.
> 
> 
> Thanks again,
> Jason
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


At this stage I would file a bug report.

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150514/ad1926d9/attachment.html

More information about the Bro mailing list