[Zeek] non_ip_packet_in_ethernet on a TCP three way handshake

Hui Lin (Hugo) hlin33 at illinois.edu
Mon Jun 24 15:18:30 PDT 2019


HI Johanna,

It turned out to be the problem from wireshark. I reboot the everything and
then use the wireshark to collect the same traffic from the machine. It is
working fine. I am not exactly sure what causes the problem, but I will
share with you the pcap as these scenario can be a potential DoS for Bro.
As mail list block attachment, I will send you the pcap in private email.

Thank you and Best regards,

Hui Lin

On Mon, Jun 24, 2019 at 2:00 PM Hui Lin (Hugo) <hlin33 at illinois.edu> wrote:

> Hi Johanna,
>
> A little bit more debug that I did.
>
> I catch the trace through wireshark; the wireshark shows no errors on this
> three way handshake.
>
> I used the original trace that has the LLDP packet as the first packet,
> the same warning is still generated on the first packet.
>
> I am not sure what triggers the error in Bro.
>
> Thanks a lot and best,
>
> Hui Lin
>
>
> On Mon, Jun 24, 2019 at 1:54 PM Johanna Amann <johanna at icir.org> wrote:
>
>> Hi Hui,
>>
>> Just to check the obvious - did you look at the trace in
>> tcpdump/something else to check that it actually has correct ethernet
>> headers, etc?
>>
>> Johanna
>>
>> On 24 Jun 2019, at 13:24, Hui Lin (Hugo) wrote:
>>
>> > Hi,
>> >
>> > I have a pcap containing only a TCP three way hand shake. When I tried
>> > this
>> > pcap in "try zeek" online with a simple tcp_packet event handler,
>> > nothing
>> > is print out and an non_ip_packet_in_ethernet warning is generated in
>> > the
>> > wierd log. Any idea what is going on?
>> >
>> > Best regards,
>> >
>> > Hui Lin
>> >
>> >
>> >
>> >
>> > --
>> > Hui Lin
>> > Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
>> > DEPEND (http://depend.csl.illinois.edu/)
>> > ECE, Uni. of Illinois at Urbana-Champaign
>> > _______________________________________________
>> > Zeek mailing list
>> > zeek at zeek.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>
>
> --
> Hui Lin
> Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
> DEPEND (http://depend.csl.illinois.edu/)
> ECE, Uni. of Illinois at Urbana-Champaign
>
>

-- 
Hui Lin
Ph.D. Candidate (http://hlin33.web.engr.illinois.edu/)
DEPEND (http://depend.csl.illinois.edu/)
ECE, Uni. of Illinois at Urbana-Champaign
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190624/7e4c2c10/attachment-0001.html 


More information about the Zeek mailing list