[Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode data link type 113 while reading pcaps

Pratik Narang pratik.cse.bits at ...11827...
Thu May 21 02:09:09 EDT 2015


Thanks Waldo and Albert.
I recompiled Snort: ./configure --enable-sourcefire
--enable-non-ether-decoders (followed by make and sudo make install)
However, when i try to run it against the pcaps, I still get the same error.
Any hints?





On Wed, May 20, 2015 at 8:57 PM, Al Lewis (allewi) <allewi at ...589...> wrote:
> What he means is that you need to recompile snort with that flag to read non Ethernet headers.
>
> Snort will decode Ethernet pcaps by default.
>
> Hope this helps.
>
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi at ...589...
>
> -----Original Message-----
> From: Pratik Narang [mailto:pratik.cse.bits at ...11827...]
> Sent: Wednesday, May 20, 2015 8:12 AM
> To: snort-users at lists.sourceforge.net; Waldo Kitty
> Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode data link type 113 while reading pcaps
>
> On Wed, May 20, 2015 at 5:41 PM, Pratik Narang <pratik.cse.bits at ...14459.....> wrote:
>> ---------- Forwarded message ----------
>> From: Pratik Narang <pratik.cse.bits at ...11827...>
>> Date: Wed, May 20, 2015 at 5:41 PM
>> Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode
>> data link type 113 while reading pcaps
>> To: waldo kitty <wkitty42 at ...14940...>
>>
>>
>> Ummm... so,if I got that right, to be able to parse pcaps, I need to
>> re-compile Snort?
>>
>> On Wed, May 20, 2015 at 5:30 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>>> On 05/20/2015 07:40 AM, Pratik Narang wrote:
>>>> Now, I tried to run it against .pcap files in a directory using the
>>>> option --pcap-dir="/path/to/dumpfiles". Snort throws up an error:
>>>> ERROR: Cannot decode data link type 113 I read somewhere that
>>>> "--enable-non-ether-decoders" can be used to resolve this. But I
>>>> guess this option is not available for the present version of Snort.
>>>
>>> that's a compile time option... you have to use it when you run
>>> configure or make to create your snort binary...
>>>
>>> --
>>>   NOTE: No off-list assistance is given without prior approval.
>>>         Please *keep mailing list traffic on the list* unless
>>>         private contact is specifically requested and granted.
>>>
>>> ---------------------------------------------------------------------
>>> --------- One dashboard for servers and applications across
>>> Physical-Virtual-Cloud Widest out-of-the-box monitoring support with
>>> 50+ applications Performance metrics, stats and reports that give you
>>> Actionable Insights Deep dive visibility with transaction tracing
>>> using APM Insight.
>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list