Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: cannot decode data link type 239

From: "Russ Combs (rucombs)" <rucombs () cisco com>
Date: Tue, 9 Sep 2014 17:55:44 +0000
You don't need strace to get the FATAL ERROR:  that datalink type is not supported by Snort.  Did your interface or DAQ 
change?

Snort can decode only a subset of the datalink types defined here:  http://www.tcpdump.org/linktypes.html.  That one is 
Linux netlink NETLINK NFLOG socket log messages.

If you would like support for that, send a pcap to snort-devel.  They could also get you started with your own 
development for that support.

Thanks
Russ

________________________________________
From: James Lay [jlay () slave-tothe-box net]
Sent: Tuesday, September 09, 2014 1:16 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] cannot decode data link type 239

On 2014-09-09 11:13, Sharif Uddin wrote:

tcpdump -s 100 icmp -i ens34 -vv
tcpdump: WARNING: ens34: no IPv4 address assigned
tcpdump: listening on ens34, link-type EN10MB (Ethernet), capture
size 100 bytes
18:12:52.081885 IP (tos 0x0, ttl 64, id 24766, offset 0, flags
[none], proto ICMP (1), length 84)
    janus.uk.domain.com > uranus.uk.domain.com: ICMP echo reply, id
13946, seq 1, length 64
18:12:52.082129 IP (tos 0x0, ttl 63, id 22430, offset 0, flags
[none], proto ICMP (1), length 84)

-----Original Message-----
From: James Lay [mailto:jlay () slave-tothe-box net]
Sent: 09 September 2014 18:04
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] cannot decode data link type 239

On 2014-09-09 11:01, Sharif Uddin wrote:

I have just tried and made no difference. Strace still gives me


socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 4 ioctl(4, SIOCGIFADDR,
{ifr_name="nflog", ???}) = -1 ENODEV (No such
device)
close(4)                                = 0
write(2, "ERROR: Cannot decode data link t"..., 40ERROR: Cannot
decode
data link type 239
) = 40
write(2, "Fatal Error, Quitting..\n", 24Fatal Error, Quitting..
) = 24
close(3)                                = 0
exit_group(1)                           = ?
+++ exited with 1 +++








Got a pcap you can share?

James


Ah...close but no taco.  How about tcpdump -s 0 icmp -i ens34 -vv -w
/tmp/bleh.pcap, then send the pcap to the list?

James

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce.
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: