Re: [Snort-users] Linktype 113 not decoded
This is a discussion on Re: [Snort-users] Linktype 113 not decoded within the Snort forums, part of the System Security and Security Related category; Looks like you're using cooked sockets (Linux SLL) to acquire the data=20= and Barnyard doesn't know how ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-25-2005
|
|||
|
|||
Re: [Snort-users] Linktype 113 not decoded
Looks like you're using cooked sockets (Linux SLL) to acquire the data=20=
and Barnyard doesn't know how to process them. You'd have to add a=20 layer 2 decoder for linux SLL traffic before Barnyard will recognize=20 those packets. -Marty On Feb 24, 2005, at 10:12 AM, BALDWIN, BILL (SBCSI) wrote: > I'm running into an issue I hope someone can help with. > > Environment: > Snort-2.3.0 > Barnyard-0.2.0 > Libpcap-0.7.2-7.E3.2 > RedHat ES 3 update 3 SMP (2.4.21-20.Elsmp) > > The system is running 2 GigE fibre cards that are spanning 2 routers > with no ip address and snort starts with -i any. The problem is the > alerts have no ip/udp header information. Looking at barnyards=20 > dump.log > I'm getting "Linktype 113 not decoded. Raw packet dumped" instead of > the packet header. If I run tcpdump or ethereal on any of the > interfaces, I am able to get all header info. > > Any help would be greatly appreciated. > > Bill > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real=20 > users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_ide95&alloc_id=14396&op=3Dclick > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...=3Dsnort-users > > --=20 Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Discover. Determine. Defend. roesch@sourcefire.com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 01:27 PM.
