[Snort-users] Linktype 113 not decoded

Martin Roesch roesch at ...1935...
Fri Feb 25 10:54:19 EST 2005


Looks like you're using cooked sockets (Linux SLL) to acquire the data 
and Barnyard doesn't know how to process them.  You'd have to add a 
layer 2 decoder for linux SLL traffic before Barnyard will recognize 
those packets.

       -Marty

On Feb 24, 2005, at 10:12 AM, BALDWIN, BILL (SBCSI) wrote:

> I'm running into an issue I hope someone can help with.
>
> Environment:
> Snort-2.3.0
> Barnyard-0.2.0
> Libpcap-0.7.2-7.E3.2
> RedHat ES 3 update 3 SMP (2.4.21-20.Elsmp)
>
> The system is running 2 GigE fibre cards that are spanning 2 routers
> with no ip address and snort starts with -i any.  The problem is the
> alerts have no ip/udp header information.  Looking at barnyards 
> dump.log
> I'm getting "Linktype 113 not decoded.  Raw packet dumped" instead of
> the packet header.  If I run tcpdump or ethereal on any of the
> interfaces, I am able to get all header info.
>
> Any help would be greatly appreciated.
>
> Bill
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real 
> users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list