[Snort-users] Linktype 113 not decoded
BALDWIN, BILL (SBCSI)
wb7192 at ...5059...
Mon Feb 28 06:00:41 EST 2005
Please explain. I also don't understand why Snort/Barnyard would be
having a problem, but tcpdump and Ethereal don't. To further clarify,
the fibre interfaces are defined as:
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
Looks like you're using cooked sockets (Linux SLL) to acquire the data
and Barnyard doesn't know how to process them. You'd have to add a
layer 2 decoder for linux SLL traffic before Barnyard will recognize
On Feb 24, 2005, at 10:12 AM, BALDWIN, BILL (SBCSI) wrote:
> I'm running into an issue I hope someone can help with.
> RedHat ES 3 update 3 SMP (2.4.21-20.Elsmp)
> The system is running 2 GigE fibre cards that are spanning 2 routers
> with no ip address and snort starts with -i any. The problem is the
> alerts have no ip/udp header information. Looking at barnyards
> I'm getting "Linktype 113 not decoded. Raw packet dumped" instead of
> the packet header. If I run tcpdump or ethereal on any of the
> interfaces, I am able to get all header info.
> Any help would be greatly appreciated.
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real
> Discover which products truly live up to the hype. Start reading now.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users