Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Linktype 113 not decoded

From: "BALDWIN, BILL (SBCSI)" <wb7192 () sbc com>
Date: Mon, 28 Feb 2005 08:47:26 -0600
Also, if I turn on 
Output alert_full: alert.full
It appears that Snort is able to capture the header information:

[**] WEB-ATTACKS id command attempt [**]
02/28-14:31:10.793388 203.218.33.49:1337 -> X.X.X.X:80
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:16759
***AP*** Seq: 0x78632E02  Ack: 0x8ED8D432  Win: 0x3DBD TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+

Both Snort-2.3.0 and Barnyard-0.2.0 are running on the same system.

-bill


-----Original Message-----
Sent: Friday, February 25, 2005 12:47 PM
Subject: Re: [Snort-users] Linktype 113 not decoded


Looks like you're using cooked sockets (Linux SLL) to acquire the data 
and Barnyard doesn't know how to process them.  You'd have to add a 
layer 2 decoder for linux SLL traffic before Barnyard will recognize 
those packets.

       -Marty

On Feb 24, 2005, at 10:12 AM, BALDWIN, BILL (SBCSI) wrote:


I'm running into an issue I hope someone can help with.

Environment:
Snort-2.3.0
Barnyard-0.2.0
Libpcap-0.7.2-7.E3.2
RedHat ES 3 update 3 SMP (2.4.21-20.Elsmp)

The system is running 2 GigE fibre cards that are spanning 2 routers
with no ip address and snort starts with -i any.  The problem is the
alerts have no ip/udp header information.  Looking at barnyards 
dump.log
I'm getting "Linktype 113 not decoded.  Raw packet dumped" instead of
the packet header.  If I run tcpdump or ethereal on any of the
interfaces, I am able to get all header info.

Any help would be greatly appreciated.

Bill



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real 
users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: