Snort mailing list archives
Re: cannot decode data link type 239
From: Sharif Uddin <Sharif.Uddin () spectrumasa com>
Date: Tue, 9 Sep 2014 17:13:47 +0000
tcpdump -s 100 icmp -i ens34 -vv tcpdump: WARNING: ens34: no IPv4 address assigned tcpdump: listening on ens34, link-type EN10MB (Ethernet), capture size 100 bytes 18:12:52.081885 IP (tos 0x0, ttl 64, id 24766, offset 0, flags [none], proto ICMP (1), length 84) janus.uk.domain.com > uranus.uk.domain.com: ICMP echo reply, id 13946, seq 1, length 64 18:12:52.082129 IP (tos 0x0, ttl 63, id 22430, offset 0, flags [none], proto ICMP (1), length 84) mail1.domain.com > uranus.uk.domain.com: ICMP echo reply, id 13948, seq 1, length 64 18:12:52.083083 IP (tos 0x0, ttl 63, id 6404, offset 0, flags [none], proto ICMP (1), length 84) ukftp.domain.com > uranus.uk.domain.com: ICMP echo reply, id 13950, seq 1, length 64 18:12:52.662074 IP (tos 0x0, ttl 64, id 43183, offset 0, flags [DF], proto ICMP (1), length 56) wan.uk.domain.com > spam.uk.domain.com: ICMP redirect no-dns-yet.demon.co.uk to host janus.uk.domain.com, length 36 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 76) spam.uk.domain.com.ntp > no-dns-yet.demon.co.uk.ntp: [|ntp] 18:12:53.082484 IP (tos 0x0, ttl 64, id 24767, offset 0, flags [none], proto ICMP (1), length 84) janus.uk.domain.com > uranus.uk.domain.com: ICMP echo reply, id 13946, seq 2, length 64 18:12:53.082838 IP (tos 0x0, ttl 63, id 22431, offset 0, flags [none], proto ICMP (1), length 84) mail1.domain.com > uranus.uk.domain.com: ICMP echo reply, id 13948, seq 2, length 64 18:12:53.083775 IP (tos 0x0, ttl 63, id 6405, offset 0, flags [none], proto ICMP (1), length 84) ukftp.domain.com > uranus.uk.domain.com: ICMP echo reply, id 13950, seq 2, length 64 18:12:53.741482 IP (tos 0x0, ttl 64, id 20286, offset 0, flags [none], proto ICMP (1), length 84) wanacc.uk.domain.com > echo.uk.domain.com: ICMP echo request, id 38916, seq 1, length 64 18:12:54.083454 IP (tos 0x0, ttl 64, id 24768, offset 0, flags [none], proto ICMP (1), length 84) janus.uk.domain.com > uranus.uk.domain.com: ICMP echo reply, id 13946, seq 3, length 64 18:12:54.083609 IP (tos 0x0, ttl 63, id 22432, offset 0, flags [none], proto ICMP (1), length 84) mail1.domain.com > uranus.uk.domain.com: ICMP echo reply, id 13948, seq 3, length 64 18:12:54.084660 IP (tos 0x0, ttl 63, id 6406, offset 0, flags [none], proto ICMP (1), length 84) ukftp.domain.com > uranus.uk.domain.com: ICMP echo reply, id 13950, seq 3, length 64 18:12:54.756659 IP (tos 0x0, ttl 64, id 20322, offset 0, flags [none], proto ICMP (1), length 84) wanacc.uk.domain.com > echo.uk.domain.com: ICMP echo request, id 38916, seq 2, length 64 18:12:55.083413 IP (tos 0x0, ttl 64, id 24769, offset 0, flags [none], proto ICMP (1), length 84) janus.uk.domain.com > uranus.uk.domain.com: ICMP echo reply, id 13946, seq 4, length 64 18:12:55.083624 IP (tos 0x0, ttl 63, id 22433, offset 0, flags [none], proto ICMP (1), length 84) mail1.domain.com > uranus.uk.domain.com: ICMP echo reply, id 13948, seq 4, length 64 18:12:55.084662 IP (tos 0x0, ttl 63, id 6407, offset 0, flags [none], proto ICMP (1), length 84) ukftp.domain.com > uranus.uk.domain.com: ICMP echo reply, id 13950, seq 4, length 64 18:12:56.083351 IP (tos 0x0, ttl 64, id 24770, offset 0, flags [none], proto ICMP (1), length 84) janus.uk.domain.com > uranus.uk.domain.com: ICMP echo reply, id 13946, seq 5, length 64 18:12:56.083538 IP (tos 0x0, ttl 63, id 22434, offset 0, flags [none], proto ICMP (1), length 84) mail1.domain.com > uranus.uk.domain.com: ICMP echo reply, id 13948, seq 5, length 64 18:12:56.084631 IP (tos 0x0, ttl 63, id 6408, offset 0, flags [none], proto ICMP (1), length 84) ukftp.domain.com > uranus.uk.domain.com: ICMP echo reply, id 13950, seq 5, length 64 -----Original Message----- From: James Lay [mailto:jlay () slave-tothe-box net] Sent: 09 September 2014 18:04 To: snort-users () lists sourceforge net Subject: Re: [Snort-users] cannot decode data link type 239 On 2014-09-09 11:01, Sharif Uddin wrote:
I have just tried and made no difference. Strace still gives me socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4 ioctl(4, SIOCGIFADDR, {ifr_name="nflog", ???}) = -1 ENODEV (No such device) close(4) = 0 write(2, "ERROR: Cannot decode data link t"..., 40ERROR: Cannot decode data link type 239 ) = 40 write(2, "Fatal Error, Quitting..\n", 24Fatal Error, Quitting.. ) = 24 close(3) = 0 exit_group(1) = ? +++ exited with 1 +++
Got a pcap you can share? James ------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce. Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! IMPORTANT - This message and any attached files contain information intended for the exclusive use of the party or parties to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not an intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender immediately and delete the original message without making any copies. Copyright in this email and any attachments belong to Spectrum Geo Limited. We cannot guarantee the security or confidentiality of email communications. We do not accept any liability for losses or damages that you may suffer as a result of your receipt of this email. Email communication with Spectrum Geo Ltd., may be monitored as permitted by UK legislation. Spectrum Geo Limited, is a limited company registered in England and Wales. Registered number: 1979422. Registered office: 95 Aldwych, London WC2B 4JF. ------------------------------------------------------------------------------ Want excitement? Manually upgrade your production database. When you want reliability, choose Perforce. Perforce version control. Predictably reliable. http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- cannot decode data link type 239 Sharif Uddin (Sep 09)
- Re: cannot decode data link type 239 James Lay (Sep 09)
- Re: cannot decode data link type 239 Sharif Uddin (Sep 09)
- Re: cannot decode data link type 239 James Lay (Sep 09)
- Re: cannot decode data link type 239 Sharif Uddin (Sep 09)
- Re: cannot decode data link type 239 James Lay (Sep 09)
- Re: cannot decode data link type 239 Russ Combs (rucombs) (Sep 09)
- Re: cannot decode data link type 239 Sharif Uddin (Sep 09)
- Re: cannot decode data link type 239 James Lay (Sep 09)
- Re: cannot decode data link type 239 waldo kitty (Sep 09)