[Snort-users] Snorting a Kismet tun/tap interface: Cannot decode data link type 105

James Lay jlay at ...13475...
Tue Jul 9 08:34:26 EDT 2013


On Jul 9, 2013, at 5:40 AM, Hayden Stainsby <hds at ...16432...> wrote:

> I am trying to snort (amongst other interfaces) a Kismet tun/tap
> interface, and am receiving this error:
> 
> ERROR: Cannot decode data link type 105
> 
> When I went through the snort code, it looked as if 105 refers to
> DLT_IEEE802_11, which makes sense given that I'm reading wireless data
> out of kismet.
> 
> I've recently upgraded to Ubuntu 12.04 LTS, which is when I started
> getting this error. I have tried with both the install that I had of
> Snort 2.9.1 which was working before the upgrade and also a new
> install of Snort 2.9.5, both produce the same error, but only for the
> kistap1 device that Kismet creates, I am also using snort on eth0 and
> wlan0 with no problems.
> 
> Right now I'm running it as root to test, so I don't think it's a
> permission issue.
> 
> I've included the output running snort with no configuration file and
> with the default configuration file below (the second one is quite
> long, sorry about that).
> 
> Any help or pointers would be most appreciated.
> 
> Thanks in advance,
> 
> Hayden

Compile with the addition of:

--enable-non-ether-decoders

James




More information about the Snort-users mailing list