[Zeek] non_ip_packet_in_ethernet on a TCP three way handshake
Hui Lin (Hugo)
hlin33 at illinois.edu
Mon Jun 24 14:00:20 PDT 2019
Hi Johanna,
A little bit more debug that I did.
I catch the trace through wireshark; the wireshark shows no errors on this
three way handshake.
I used the original trace that has the LLDP packet as the first packet, the
same warning is still generated on the first packet.
I am not sure what triggers the error in Bro.
Thanks a lot and best,
Hui Lin
On Mon, Jun 24, 2019 at 1:54 PM Johanna Amann <johanna at icir.org> wrote:
> Hi Hui,
>
> Just to check the obvious - did you look at the trace in
> tcpdump/something else to check that it actually has correct ethernet
> headers, etc?
>
> Johanna
>
> On 24 Jun 2019, at 13:24, Hui Lin (Hugo) wrote:
>
> > Hi,
> >
> > I have a pcap containing only a TCP three way hand shake. When I tried
> > this
> > pcap in "try zeek" online with a simple tcp_packet event handler,
> > nothing
> > is print out and an non_ip_packet_in_ethernet warning is generated in
> > the
> > wierd log. Any idea what is going on?
> >
> > Best regards,
> >
> > Hui Lin
> >
> >
> >
> >
> > --
> > Hui Lin
> > Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
> > DEPEND (http://depend.csl.illinois.edu/)
> > ECE, Uni. of Illinois at Urbana-Champaign
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
--
Hui Lin
Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
DEPEND (http://depend.csl.illinois.edu/)
ECE, Uni. of Illinois at Urbana-Champaign
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190624/26f4ba26/attachment.html
More information about the Zeek
mailing list