Snort mailing list archives

Re: cannot decode data link type 239

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 09 Sep 2014 11:16:44 -0600

On 2014-09-09 11:13, Sharif Uddin wrote:

tcpdump -s 100 icmp -i ens34 -vv
tcpdump: WARNING: ens34: no IPv4 address assigned
tcpdump: listening on ens34, link-type EN10MB (Ethernet), capture
size 100 bytes
18:12:52.081885 IP (tos 0x0, ttl 64, id 24766, offset 0, flags
[none], proto ICMP (1), length 84)
    janus.uk.domain.com > uranus.uk.domain.com: ICMP echo reply, id
13946, seq 1, length 64
18:12:52.082129 IP (tos 0x0, ttl 63, id 22430, offset 0, flags
[none], proto ICMP (1), length 84)

-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net]
Sent: 09 September 2014 18:04
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] cannot decode data link type 239

On 2014-09-09 11:01, Sharif Uddin wrote:

I have just tried and made no difference. Strace still gives me


socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4 ioctl(4, SIOCGIFADDR,
{ifr_name="nflog", ???}) = -1 ENODEV (No such
device)
close(4)                                = 0
write(2, "ERROR: Cannot decode data link t"..., 40ERROR: Cannot 
decode
data link type 239
) = 40
write(2, "Fatal Error, Quitting..\n", 24Fatal Error, Quitting..
) = 24
close(3)                                = 0
exit_group(1)                           = ?
+++ exited with 1 +++


Got a pcap you can share?

James


Ah...close but no taco.  How about tcpdump -s 0 icmp -i ens34 -vv -w 
/tmp/bleh.pcap, then send the pcap to the list?

James

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

cannot decode data link type 239 Sharif Uddin (Sep 09)
- Re: cannot decode data link type 239 James Lay (Sep 09)
  - Re: cannot decode data link type 239 Sharif Uddin (Sep 09)
    - Re: cannot decode data link type 239 James Lay (Sep 09)
    - Re: cannot decode data link type 239 Sharif Uddin (Sep 09)
    - Re: cannot decode data link type 239 James Lay (Sep 09)
    - Re: cannot decode data link type 239 Russ Combs (rucombs) (Sep 09)
    - Re: cannot decode data link type 239 waldo kitty (Sep 09)