[Snort-users] Linktype 113 not decoded

Martin Roesch roesch at ...1935...
Thu Mar 3 14:53:34 EST 2005


Hi Bill,

Snort's not having the problem, Barnyard is.  The packets have had 
their Ethernet headers stripped and are in "cooked" mode.  Barnyard 
doesn't understand that data format and that's why it's throwing the 
error.  I'll see what it'll take to get a Linux SLL decoder into 
Barnyard and get back to you...

     -Marty

On Feb 28, 2005, at 8:58 AM, BALDWIN, BILL (SBCSI) wrote:

> Please explain.  I also don't understand why Snort/Barnyard would be
> having a problem, but tcpdump and Ethereal don't.  To further clarify,
> the fibre interfaces are defined as:
>
> UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
>
> -bill
>
>
>
>
> Looks like you're using cooked sockets (Linux SLL) to acquire the data
> and Barnyard doesn't know how to process them.  You'd have to add a
> layer 2 decoder for linux SLL traffic before Barnyard will recognize
> those packets.
>
>        -Marty
>
> On Feb 24, 2005, at 10:12 AM, BALDWIN, BILL (SBCSI) wrote:
>
>> I'm running into an issue I hope someone can help with.
>>
>> Environment:
>> Snort-2.3.0
>> Barnyard-0.2.0
>> Libpcap-0.7.2-7.E3.2
>> RedHat ES 3 update 3 SMP (2.4.21-20.Elsmp)
>>
>> The system is running 2 GigE fibre cards that are spanning 2 routers
>> with no ip address and snort starts with -i any.  The problem is the
>> alerts have no ip/udp header information.  Looking at barnyards
>> dump.log
>> I'm getting "Linktype 113 not decoded.  Raw packet dumped" instead of
>> the packet header.  If I run tcpdump or ethereal on any of the
>> interfaces, I am able to get all header info.
>>
>> Any help would be greatly appreciated.
>>
>> Bill
>>
>>
>>
>> -------------------------------------------------------
>> SF email is sponsored by - The IT Product Guide
>> Read honest & candid reviews on hundreds of IT Products from real
>> users.
>> Discover which products truly live up to the hype. Start reading now.
>> http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>>
> -- 
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Discover.  Determine.  Defend.
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list