Re: Snort 2.9.7.2 throws ERROR: Cannot decode data link type 113 while reading pcaps

[Pratik Narang <pratik.cse.bits () gmail com>]

Here you go : https://dl.dropboxusercontent.com/u/83226006/gtisc-winobot.20071027.1193443201.pcap
This pcap comes from the 'Storm' botnet. It was obtained from obtained
from a 3rd party - so I am not really sure what non-ethernet stuff it
has.

Thanks!

On Thu, May 21, 2015 at 3:07 PM, Al Lewis (allewi) <allewi () cisco com> wrote:
> Can you provide some sample traffic that is giving you the error please?
>
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi () cisco com
>
>
> -----Original Message-----
> From: Pratik Narang [mailto:pratik.cse.bits () gmail com]
> Sent: Thursday, May 21, 2015 2:09 AM
> To: Al Lewis (allewi)
> Cc: snort-users () lists sourceforge net; Waldo Kitty
> Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode data link type 113 while reading pcaps
>
> Thanks Waldo and Albert.
> I recompiled Snort: ./configure --enable-sourcefire --enable-non-ether-decoders (followed by make and sudo make 
> install) However, when i try to run it against the pcaps, I still get the same error.
> Any hints?
>
>
>
>
>
> On Wed, May 20, 2015 at 8:57 PM, Al Lewis (allewi) <allewi () cisco com> wrote:
> > What he means is that you need to recompile snort with that flag to read non Ethernet headers.
> >
> > Snort will decode Ethernet pcaps by default.
> >
> > Hope this helps.
> >
> > Albert Lewis
> > QA Software Engineer
> > SOURCEfire, Inc. now part of Cisco
> > 9780 Patuxent Woods Drive
> > Columbia, MD 21046
> > Phone: (office) 443.430.7112
> > Email: allewi () cisco com
> >
> > -----Original Message-----
> > From: Pratik Narang [mailto:pratik.cse.bits () gmail com]
> > Sent: Wednesday, May 20, 2015 8:12 AM
> > To: snort-users () lists sourceforge net; Waldo Kitty
> > Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode
> > data link type 113 while reading pcaps
> >
> > On Wed, May 20, 2015 at 5:41 PM, Pratik Narang <pratik.cse.bits () gmail com> wrote:
> > > ---------- Forwarded message ----------
> > > From: Pratik Narang <pratik.cse.bits () gmail com>
> > > Date: Wed, May 20, 2015 at 5:41 PM
> > > Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode
> > > data link type 113 while reading pcaps
> > > To: waldo kitty <wkitty42 () windstream net>
> > >
> > >
> > > Ummm... so,if I got that right, to be able to parse pcaps, I need to
> > > re-compile Snort?
> > >
> > > On Wed, May 20, 2015 at 5:30 PM, waldo kitty <wkitty42 () windstream net> wrote:
> > > > On 05/20/2015 07:40 AM, Pratik Narang wrote:
> > > > > Now, I tried to run it against .pcap files in a directory using the
> > > > > option --pcap-dir="/path/to/dumpfiles". Snort throws up an error:
> > > > > ERROR: Cannot decode data link type 113 I read somewhere that
> > > > > "--enable-non-ether-decoders" can be used to resolve this. But I
> > > > > guess this option is not available for the present version of Snort.
> > > >
> > > > that's a compile time option... you have to use it when you run
> > > > configure or make to create your snort binary...
> > > >
> > > > --
> > > >   NOTE: No off-list assistance is given without prior approval.
> > > >         Please *keep mailing list traffic on the list* unless
> > > >         private contact is specifically requested and granted.
> > > >
> > > > --------------------------------------------------------------------
> > > > -
> > > > --------- One dashboard for servers and applications across
> > > > Physical-Virtual-Cloud Widest out-of-the-box monitoring support with
> > > > 50+ applications Performance metrics, stats and reports that give
> > > > 50+ you
> > > > Actionable Insights Deep dive visibility with transaction tracing
> > > > using APM Insight.
> > > > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> >
> > ----------------------------------------------------------------------
> > -------- One dashboard for servers and applications across
> > Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and 
> > reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight.
> > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!