[Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode data link type 113 while reading pcaps

Pratik Narang pratik.cse.bits at ...11827...
Thu May 21 07:13:07 EDT 2015


Here you go : https://dl.dropboxusercontent.com/u/83226006/gtisc-winobot.20071027.1193443201.pcap
This pcap comes from the 'Storm' botnet. It was obtained from obtained
from a 3rd party - so I am not really sure what non-ethernet stuff it
has.

Thanks!

On Thu, May 21, 2015 at 3:07 PM, Al Lewis (allewi) <allewi at ...589...> wrote:
> Can you provide some sample traffic that is giving you the error please?
>
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi at ...589...
>
>
> -----Original Message-----
> From: Pratik Narang [mailto:pratik.cse.bits at ...11827...]
> Sent: Thursday, May 21, 2015 2:09 AM
> To: Al Lewis (allewi)
> Cc: snort-users at lists.sourceforge.net; Waldo Kitty
> Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode data link type 113 while reading pcaps
>
> Thanks Waldo and Albert.
> I recompiled Snort: ./configure --enable-sourcefire --enable-non-ether-decoders (followed by make and sudo make install) However, when i try to run it against the pcaps, I still get the same error.
> Any hints?
>
>
>
>
>
> On Wed, May 20, 2015 at 8:57 PM, Al Lewis (allewi) <allewi at ...589...> wrote:
>> What he means is that you need to recompile snort with that flag to read non Ethernet headers.
>>
>> Snort will decode Ethernet pcaps by default.
>>
>> Hope this helps.
>>
>> Albert Lewis
>> QA Software Engineer
>> SOURCEfire, Inc. now part of Cisco
>> 9780 Patuxent Woods Drive
>> Columbia, MD 21046
>> Phone: (office) 443.430.7112
>> Email: allewi at ...589...
>>
>> -----Original Message-----
>> From: Pratik Narang [mailto:pratik.cse.bits at ...11827...]
>> Sent: Wednesday, May 20, 2015 8:12 AM
>> To: snort-users at lists.sourceforge.net; Waldo Kitty
>> Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode
>> data link type 113 while reading pcaps
>>
>> On Wed, May 20, 2015 at 5:41 PM, Pratik Narang <pratik.cse.bits at ...11827...> wrote:
>>> ---------- Forwarded message ----------
>>> From: Pratik Narang <pratik.cse.bits at ...11827...>
>>> Date: Wed, May 20, 2015 at 5:41 PM
>>> Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode
>>> data link type 113 while reading pcaps
>>> To: waldo kitty <wkitty42 at ...14940...>
>>>
>>>
>>> Ummm... so,if I got that right, to be able to parse pcaps, I need to
>>> re-compile Snort?
>>>
>>> On Wed, May 20, 2015 at 5:30 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>>>> On 05/20/2015 07:40 AM, Pratik Narang wrote:
>>>>> Now, I tried to run it against .pcap files in a directory using the
>>>>> option --pcap-dir="/path/to/dumpfiles". Snort throws up an error:
>>>>> ERROR: Cannot decode data link type 113 I read somewhere that
>>>>> "--enable-non-ether-decoders" can be used to resolve this. But I
>>>>> guess this option is not available for the present version of Snort.
>>>>
>>>> that's a compile time option... you have to use it when you run
>>>> configure or make to create your snort binary...
>>>>
>>>> --
>>>>   NOTE: No off-list assistance is given without prior approval.
>>>>         Please *keep mailing list traffic on the list* unless
>>>>         private contact is specifically requested and granted.
>>>>
>>>> --------------------------------------------------------------------
>>>> -
>>>> --------- One dashboard for servers and applications across
>>>> Physical-Virtual-Cloud Widest out-of-the-box monitoring support with
>>>> 50+ applications Performance metrics, stats and reports that give
>>>> 50+ you
>>>> Actionable Insights Deep dive visibility with transaction tracing
>>>> using APM Insight.
>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>> ----------------------------------------------------------------------
>> -------- One dashboard for servers and applications across
>> Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list