[Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode data link type 113 while reading pcaps

Al Lewis (allewi) allewi at ...589...
Thu May 21 05:37:24 EDT 2015


Can you provide some sample traffic that is giving you the error please?

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi at ...589... 


-----Original Message-----
From: Pratik Narang [mailto:pratik.cse.bits at ...11827...] 
Sent: Thursday, May 21, 2015 2:09 AM
To: Al Lewis (allewi)
Cc: snort-users at lists.sourceforge.net; Waldo Kitty
Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode data link type 113 while reading pcaps

Thanks Waldo and Albert.
I recompiled Snort: ./configure --enable-sourcefire --enable-non-ether-decoders (followed by make and sudo make install) However, when i try to run it against the pcaps, I still get the same error.
Any hints?





On Wed, May 20, 2015 at 8:57 PM, Al Lewis (allewi) <allewi at ...589...> wrote:
> What he means is that you need to recompile snort with that flag to read non Ethernet headers.
>
> Snort will decode Ethernet pcaps by default.
>
> Hope this helps.
>
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi at ...589...
>
> -----Original Message-----
> From: Pratik Narang [mailto:pratik.cse.bits at ...11827...]
> Sent: Wednesday, May 20, 2015 8:12 AM
> To: snort-users at lists.sourceforge.net; Waldo Kitty
> Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode 
> data link type 113 while reading pcaps
>
> On Wed, May 20, 2015 at 5:41 PM, Pratik Narang <pratik.cse.bits at ...11827...> wrote:
>> ---------- Forwarded message ----------
>> From: Pratik Narang <pratik.cse.bits at ...11827...>
>> Date: Wed, May 20, 2015 at 5:41 PM
>> Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode 
>> data link type 113 while reading pcaps
>> To: waldo kitty <wkitty42 at ...14940...>
>>
>>
>> Ummm... so,if I got that right, to be able to parse pcaps, I need to 
>> re-compile Snort?
>>
>> On Wed, May 20, 2015 at 5:30 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>>> On 05/20/2015 07:40 AM, Pratik Narang wrote:
>>>> Now, I tried to run it against .pcap files in a directory using the 
>>>> option --pcap-dir="/path/to/dumpfiles". Snort throws up an error:
>>>> ERROR: Cannot decode data link type 113 I read somewhere that 
>>>> "--enable-non-ether-decoders" can be used to resolve this. But I 
>>>> guess this option is not available for the present version of Snort.
>>>
>>> that's a compile time option... you have to use it when you run 
>>> configure or make to create your snort binary...
>>>
>>> --
>>>   NOTE: No off-list assistance is given without prior approval.
>>>         Please *keep mailing list traffic on the list* unless
>>>         private contact is specifically requested and granted.
>>>
>>> --------------------------------------------------------------------
>>> -
>>> --------- One dashboard for servers and applications across 
>>> Physical-Virtual-Cloud Widest out-of-the-box monitoring support with
>>> 50+ applications Performance metrics, stats and reports that give 
>>> 50+ you
>>> Actionable Insights Deep dive visibility with transaction tracing 
>>> using APM Insight.
>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ----------------------------------------------------------------------
> -------- One dashboard for servers and applications across 
> Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list