[Snort-users] Snorting a Kismet tun/tap interface: Cannot decode data link type 105

Hayden Stainsby hds at ...16432...
Tue Jul 9 08:57:23 EDT 2013

Thanks @Rmkml and James Lay, that was exactly what I was missing.

I needed to add "--enable-non-ether-decoders" to the configure options
before compiling, it now works perfectly.



On 9 July 2013 14:34, James Lay <jlay at ...13475...> wrote:
> On Jul 9, 2013, at 5:40 AM, Hayden Stainsby <hds at ...16432...> wrote:
>> I am trying to snort (amongst other interfaces) a Kismet tun/tap
>> interface, and am receiving this error:
>> ERROR: Cannot decode data link type 105
>> When I went through the snort code, it looked as if 105 refers to
>> DLT_IEEE802_11, which makes sense given that I'm reading wireless data
>> out of kismet.
>> I've recently upgraded to Ubuntu 12.04 LTS, which is when I started
>> getting this error. I have tried with both the install that I had of
>> Snort 2.9.1 which was working before the upgrade and also a new
>> install of Snort 2.9.5, both produce the same error, but only for the
>> kistap1 device that Kismet creates, I am also using snort on eth0 and
>> wlan0 with no problems.
>> Right now I'm running it as root to test, so I don't think it's a
>> permission issue.
>> I've included the output running snort with no configuration file and
>> with the default configuration file below (the second one is quite
>> long, sorry about that).
>> Any help or pointers would be most appreciated.
>> Thanks in advance,
>> Hayden
> Compile with the addition of:
> --enable-non-ether-decoders
> James
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

chop($_=<>);@s=split/ /;foreach$m(@s){if($m=='*'){$z=pop at ...7893...;$x=
pop at ...7893...;$a=eval"$x$m$z";push at ...7893...,$a;}else{push at ...7893...,$m;}}print"$a\n";

This email and any attachments are confidential, privileged and protected 
by copyright. If you are not the intended recipient, dissemination or 
copying of this email is prohibited. If you have received this in error, 
please notify the sender by replying by email and then delete the email 
completely from your system. *
*Where the content of this email is personal or otherwise unconnected with 
the Company or its business, Titan Entertainment Group accepts no 
responsibility or liability for such content. *
*Internet email may be susceptible to data corruption, interception and 
unauthorised amendment over which we have no control. Whilst sweeping all 
outgoing email for viruses, we do not accept liability for the presence of 
any computer viruses in this email or any losses caused as a result of 

More information about the Snort-users mailing list