[Bro] Bro Digest, Vol 109, Issue 14

Seth Hall seth at icir.org
Mon May 18 11:24:21 PDT 2015 

This problem isn’t a huge surprise to me.  We haven’t supported the packet-writing feature for several releases (it’s also not explicitly deprecated, we just haven’t given it any attention).  At the very least, it isn’t something that we have tests for due to it being complicated and unreliable in some circumstances.

  .Seth

> On May 12, 2015, at 12:51 PM, Jason <dn1nj4 at gmail.com> wrote:
> 
> 
> Date: Tue, 12 May 2015 10:04:56 -0600
> From: James Lay <jlay at slave-tothe-box.net>
> Subject: Re: [Bro] PPPoE Capture IP Layer Being Stripped
> To: bro at bro.org
> Message-ID: <b60c0945aa4749712ec607bdff0a435c at localhost>
> Content-Type: text/plain; charset=US-ASCII; format=flowed
> 
> On 2015-05-12 07:43 AM, Jason wrote:
> > Good day all,
> >
> > One of my sites has all PPPoE traffic on the link I'm monitoring.  The
> > .log files are all generated correctly, but PCAP files end up with
> > stripped IP layer information.  This was easy to reproduce in bro
> > 2.3.1 on Ubuntu by doing:
> >
> > tcpdump -nn -i ethX -w test.pcap
> > bro -r test.pcap -w bro.pcap
> >
> > The tcpdump traffic in test.pcap looks fine, but the bro pcap comes up
> > as Ethernet traffic with an unknown type.
> >
> > Is this a known bug?  Or is there perhaps some configuration that
> > needs to be changed in bro support this traffic?
> >
> > Thanks in advance,
> >
> > Jason
> >
> 
> I run bro on ppp0, but I don't think I've seen this issue.  Have you
> tried having bro listen on the physical interface instead?
> 
> James
> 
> 
> ------------------------------
> 
> I have indeed.  Live capture was where the problem was first noticed.  I moved to an offline/tcpdump test as part of my troubleshooting to ensure nothing else was causing problems (link issues, PF_RING, etc).
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150518/3ae8ec41/attachment-0001.bin

More information about the Bro mailing list