[Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode data link type 113 while reading pcaps

Pratik Narang pratik.cse.bits at ...11827...
Tue May 26 01:11:07 EDT 2015


Albert:

Does Snort support Linux Cooked captures?

Thanks!

On Thu, May 21, 2015 at 5:35 PM, Al Lewis (allewi) <allewi at ...589...> wrote:
> The file is captured using "link-type LINUX_SLL (Linux cooked)". https://wiki.wireshark.org/SLL
>
> I will have to check if that is supported.
>
> root at ...17165...:/var/tmp/snort-2.9.7.3_build-216# tcpdump -n -r /home/alewis/Downloads/gtisc-winobot.20071027.1193443201.pcap -c 1 -X -e
>
> reading from file /home/alewis/Downloads/gtisc-winobot.20071027.1193443201.pcap, link-type LINUX_SLL (Linux cooked)
> 20:00:01.264359 Out d6:33:9e:ed:70:a1 ethertype IPv4 (0x0800), length 69: 66.154.87.61.7871 > 84.73.104.243.9683: UDP, length 25
>         0x0000:  4500 0035 0000 4000 4011 e3a4 429a 573d  E..5.. at ...843...@...B.W=
>         0x0010:  5449 68f3 1ebf 25d3 0021 620b e30c 1d4e  TIh...%..!b....N
>         0x0020:  7d11 e78e 94c9 f938 4663 ce75 a12d 429a  }......8Fc.u.-B.
>         0x0030:  573d bf1e 00                             W=...
>
>
>
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi at ...589...
>
>
> -----Original Message-----
> From: Pratik Narang [mailto:pratik.cse.bits at ...11827...]
> Sent: Thursday, May 21, 2015 7:13 AM
> To: Al Lewis (allewi)
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode data link type 113 while reading pcaps
>
> Here you go : https://dl.dropboxusercontent.com/u/83226006/gtisc-winobot.20071027.1193443201.pcap
> This pcap comes from the 'Storm' botnet. It was obtained from obtained from a 3rd party - so I am not really sure what non-ethernet stuff it has.
>
> Thanks!
>
> On Thu, May 21, 2015 at 3:07 PM, Al Lewis (allewi) <allewi at ...589...> wrote:
>> Can you provide some sample traffic that is giving you the error please?
>>
>> Albert Lewis
>> QA Software Engineer
>> SOURCEfire, Inc. now part of Cisco
>> 9780 Patuxent Woods Drive
>> Columbia, MD 21046
>> Phone: (office) 443.430.7112
>> Email: allewi at ...589...
>>
>>
>> -----Original Message-----
>> From: Pratik Narang [mailto:pratik.cse.bits at ...11827...]
>> Sent: Thursday, May 21, 2015 2:09 AM
>> To: Al Lewis (allewi)
>> Cc: snort-users at lists.sourceforge.net; Waldo Kitty
>> Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode
>> data link type 113 while reading pcaps
>>
>> Thanks Waldo and Albert.
>> I recompiled Snort: ./configure --enable-sourcefire --enable-non-ether-decoders (followed by make and sudo make install) However, when i try to run it against the pcaps, I still get the same error.
>> Any hints?
>>
>>
>>
>>
>>
>> On Wed, May 20, 2015 at 8:57 PM, Al Lewis (allewi) <allewi at ...589...> wrote:
>>> What he means is that you need to recompile snort with that flag to read non Ethernet headers.
>>>
>>> Snort will decode Ethernet pcaps by default.
>>>
>>> Hope this helps.
>>>
>>> Albert Lewis
>>> QA Software Engineer
>>> SOURCEfire, Inc. now part of Cisco
>>> 9780 Patuxent Woods Drive
>>> Columbia, MD 21046
>>> Phone: (office) 443.430.7112
>>> Email: allewi at ...589...
>>>
>>> -----Original Message-----
>>> From: Pratik Narang [mailto:pratik.cse.bits at ...11827...]
>>> Sent: Wednesday, May 20, 2015 8:12 AM
>>> To: snort-users at lists.sourceforge.net; Waldo Kitty
>>> Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode
>>> data link type 113 while reading pcaps
>>>
>>> On Wed, May 20, 2015 at 5:41 PM, Pratik Narang <pratik.cse.bits at ...11827...> wrote:
>>>> ---------- Forwarded message ----------
>>>> From: Pratik Narang <pratik.cse.bits at ...11827...>
>>>> Date: Wed, May 20, 2015 at 5:41 PM
>>>> Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode
>>>> data link type 113 while reading pcaps
>>>> To: waldo kitty <wkitty42 at ...14940...>
>>>>
>>>>
>>>> Ummm... so,if I got that right, to be able to parse pcaps, I need to
>>>> re-compile Snort?
>>>>
>>>> On Wed, May 20, 2015 at 5:30 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>>>>> On 05/20/2015 07:40 AM, Pratik Narang wrote:
>>>>>> Now, I tried to run it against .pcap files in a directory using
>>>>>> the option --pcap-dir="/path/to/dumpfiles". Snort throws up an error:
>>>>>> ERROR: Cannot decode data link type 113 I read somewhere that
>>>>>> "--enable-non-ether-decoders" can be used to resolve this. But I
>>>>>> guess this option is not available for the present version of Snort.
>>>>>
>>>>> that's a compile time option... you have to use it when you run
>>>>> configure or make to create your snort binary...
>>>>>
>>>>> --
>>>>>   NOTE: No off-list assistance is given without prior approval.
>>>>>         Please *keep mailing list traffic on the list* unless
>>>>>         private contact is specifically requested and granted.
>>>>>
>>>>> -------------------------------------------------------------------
>>>>> -
>>>>> -
>>>>> --------- One dashboard for servers and applications across
>>>>> Physical-Virtual-Cloud Widest out-of-the-box monitoring support
>>>>> with
>>>>> 50+ applications Performance metrics, stats and reports that give
>>>>> 50+ you
>>>>> Actionable Insights Deep dive visibility with transaction tracing
>>>>> using APM Insight.
>>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>>> _______________________________________________
>>>>> Snort-users mailing list
>>>>> Snort-users at lists.sourceforge.net
>>>>> Go to this URL to change user options or unsubscribe:
>>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>>> Snort-users list archive:
>>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>>
>>>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>>>
>>> ---------------------------------------------------------------------
>>> -
>>> -------- One dashboard for servers and applications across
>>> Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight.
>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list