[Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode data link type 113 while reading pcaps

Al Lewis (allewi) allewi at ...589...
Thu May 21 08:05:21 EDT 2015


The file is captured using "link-type LINUX_SLL (Linux cooked)". https://wiki.wireshark.org/SLL 

I will have to check if that is supported. 

root at ...17165...:/var/tmp/snort-2.9.7.3_build-216# tcpdump -n -r /home/alewis/Downloads/gtisc-winobot.20071027.1193443201.pcap -c 1 -X -e

reading from file /home/alewis/Downloads/gtisc-winobot.20071027.1193443201.pcap, link-type LINUX_SLL (Linux cooked)
20:00:01.264359 Out d6:33:9e:ed:70:a1 ethertype IPv4 (0x0800), length 69: 66.154.87.61.7871 > 84.73.104.243.9683: UDP, length 25
        0x0000:  4500 0035 0000 4000 4011 e3a4 429a 573d  E..5.. at ...843...@...B.W=
        0x0010:  5449 68f3 1ebf 25d3 0021 620b e30c 1d4e  TIh...%..!b....N
        0x0020:  7d11 e78e 94c9 f938 4663 ce75 a12d 429a  }......8Fc.u.-B.
        0x0030:  573d bf1e 00                             W=...



Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi at ...589... 


-----Original Message-----
From: Pratik Narang [mailto:pratik.cse.bits at ...11827...] 
Sent: Thursday, May 21, 2015 7:13 AM
To: Al Lewis (allewi)
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode data link type 113 while reading pcaps

Here you go : https://dl.dropboxusercontent.com/u/83226006/gtisc-winobot.20071027.1193443201.pcap
This pcap comes from the 'Storm' botnet. It was obtained from obtained from a 3rd party - so I am not really sure what non-ethernet stuff it has.

Thanks!

On Thu, May 21, 2015 at 3:07 PM, Al Lewis (allewi) <allewi at ...589...> wrote:
> Can you provide some sample traffic that is giving you the error please?
>
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi at ...589...
>
>
> -----Original Message-----
> From: Pratik Narang [mailto:pratik.cse.bits at ...11827...]
> Sent: Thursday, May 21, 2015 2:09 AM
> To: Al Lewis (allewi)
> Cc: snort-users at lists.sourceforge.net; Waldo Kitty
> Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode 
> data link type 113 while reading pcaps
>
> Thanks Waldo and Albert.
> I recompiled Snort: ./configure --enable-sourcefire --enable-non-ether-decoders (followed by make and sudo make install) However, when i try to run it against the pcaps, I still get the same error.
> Any hints?
>
>
>
>
>
> On Wed, May 20, 2015 at 8:57 PM, Al Lewis (allewi) <allewi at ...589...> wrote:
>> What he means is that you need to recompile snort with that flag to read non Ethernet headers.
>>
>> Snort will decode Ethernet pcaps by default.
>>
>> Hope this helps.
>>
>> Albert Lewis
>> QA Software Engineer
>> SOURCEfire, Inc. now part of Cisco
>> 9780 Patuxent Woods Drive
>> Columbia, MD 21046
>> Phone: (office) 443.430.7112
>> Email: allewi at ...589...
>>
>> -----Original Message-----
>> From: Pratik Narang [mailto:pratik.cse.bits at ...11827...]
>> Sent: Wednesday, May 20, 2015 8:12 AM
>> To: snort-users at lists.sourceforge.net; Waldo Kitty
>> Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode 
>> data link type 113 while reading pcaps
>>
>> On Wed, May 20, 2015 at 5:41 PM, Pratik Narang <pratik.cse.bits at ...11827...> wrote:
>>> ---------- Forwarded message ----------
>>> From: Pratik Narang <pratik.cse.bits at ...11827...>
>>> Date: Wed, May 20, 2015 at 5:41 PM
>>> Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode 
>>> data link type 113 while reading pcaps
>>> To: waldo kitty <wkitty42 at ...14940...>
>>>
>>>
>>> Ummm... so,if I got that right, to be able to parse pcaps, I need to 
>>> re-compile Snort?
>>>
>>> On Wed, May 20, 2015 at 5:30 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>>>> On 05/20/2015 07:40 AM, Pratik Narang wrote:
>>>>> Now, I tried to run it against .pcap files in a directory using 
>>>>> the option --pcap-dir="/path/to/dumpfiles". Snort throws up an error:
>>>>> ERROR: Cannot decode data link type 113 I read somewhere that 
>>>>> "--enable-non-ether-decoders" can be used to resolve this. But I 
>>>>> guess this option is not available for the present version of Snort.
>>>>
>>>> that's a compile time option... you have to use it when you run 
>>>> configure or make to create your snort binary...
>>>>
>>>> --
>>>>   NOTE: No off-list assistance is given without prior approval.
>>>>         Please *keep mailing list traffic on the list* unless
>>>>         private contact is specifically requested and granted.
>>>>
>>>> -------------------------------------------------------------------
>>>> -
>>>> -
>>>> --------- One dashboard for servers and applications across 
>>>> Physical-Virtual-Cloud Widest out-of-the-box monitoring support 
>>>> with
>>>> 50+ applications Performance metrics, stats and reports that give 
>>>> 50+ you
>>>> Actionable Insights Deep dive visibility with transaction tracing 
>>>> using APM Insight.
>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>
>> ---------------------------------------------------------------------
>> -
>> -------- One dashboard for servers and applications across 
>> Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!


More information about the Snort-users mailing list