Snort mailing list archives

Re: Snorting a Kismet tun/tap interface: Cannot decode data link type 105

From: James Lay <jlay () slave-tothe-box net>
Date: Tue, 9 Jul 2013 06:34:26 -0600


On Jul 9, 2013, at 5:40 AM, Hayden Stainsby <hds () titanemail com> wrote:

I am trying to snort (amongst other interfaces) a Kismet tun/tap
interface, and am receiving this error:

ERROR: Cannot decode data link type 105

When I went through the snort code, it looked as if 105 refers to
DLT_IEEE802_11, which makes sense given that I'm reading wireless data
out of kismet.

I've recently upgraded to Ubuntu 12.04 LTS, which is when I started
getting this error. I have tried with both the install that I had of
Snort 2.9.1 which was working before the upgrade and also a new
install of Snort 2.9.5, both produce the same error, but only for the
kistap1 device that Kismet creates, I am also using snort on eth0 and
wlan0 with no problems.

Right now I'm running it as root to test, so I don't think it's a
permission issue.

I've included the output running snort with no configuration file and
with the default configuration file below (the second one is quite
long, sorry about that).

Any help or pointers would be most appreciated.

Thanks in advance,

Hayden


Compile with the addition of:

--enable-non-ether-decoders

James

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Snorting a Kismet tun/tap interface: Cannot decode data link type 105 Hayden Stainsby (Jul 09)
- Re: Snorting a Kismet tun/tap interface: Cannot decode data link type 105 James Lay (Jul 09)
  - Re: Snorting a Kismet tun/tap interface: Cannot decode data link type 105 Hayden Stainsby (Jul 09)
- Re: Snorting a Kismet tun/tap interface: Cannot decode data link type 105 rmkml (Jul 09)