[Snort-users] Linktype 113 not decoded

Justin Heath justin.heath at ...11827...
Sat Feb 26 12:29:20 EST 2005


Sorry, but could you explain a bit further? I understand the
difference of raw/cooked sockets, but am unsure what Linux SLL is and
how it relates.


Thanks,
Justin

On Fri, 25 Feb 2005 13:47:12 -0500, Martin Roesch <roesch at ...1935...> wrote:
> Looks like you're using cooked sockets (Linux SLL) to acquire the data
> and Barnyard doesn't know how to process them.  You'd have to add a
> layer 2 decoder for linux SLL traffic before Barnyard will recognize
> those packets.
> 
>        -Marty
> 
> On Feb 24, 2005, at 10:12 AM, BALDWIN, BILL (SBCSI) wrote:
> 
> > I'm running into an issue I hope someone can help with.
> >
> > Environment:
> > Snort-2.3.0
> > Barnyard-0.2.0
> > Libpcap-0.7.2-7.E3.2
> > RedHat ES 3 update 3 SMP (2.4.21-20.Elsmp)
> >
> > The system is running 2 GigE fibre cards that are spanning 2 routers
> > with no ip address and snort starts with -i any.  The problem is the
> > alerts have no ip/udp header information.  Looking at barnyards
> > dump.log
> > I'm getting "Linktype 113 not decoded.  Raw packet dumped" instead of
> > the packet header.  If I run tcpdump or ethereal on any of the
> > interfaces, I am able to get all header info.
> >
> > Any help would be greatly appreciated.
> >
> > Bill
> >
> >
> >
> > -------------------------------------------------------
> > SF email is sponsored by - The IT Product Guide
> > Read honest & candid reviews on hundreds of IT Products from real
> > users.
> > Discover which products truly live up to the hype. Start reading now.
> > http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> >
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Discover.  Determine.  Defend.
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id396&opclick
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?listsnort-users
>




More information about the Snort-users mailing list