Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help Needed: Having a problem with sebek server

From: Edward Balas <ebalas () iu edu>
Date: Tue, 18 Nov 2003 19:12:39 -0500 (EST)
On Tue, 18 Nov 2003, Turner,Robbin J. wrote:


I was trying to extract the data from a tcpdump stream and the 
sbk_extract is giving me a malformed sebek record error.  The data is 
coming off a Debian honeypot into a RedHat box running tcpdump.  Then 
I'm piping the tcpdump output into the sbk_extract and getting the 
following:

         [.....]

    malformed sebek record: data length=64  packet caplen=96
    malformed sebek record: data length=199  packet caplen=96
    malformed sebek record: data length=25  packet caplen=96
    malformed sebek record: data length=447  packet caplen=96

    warning RX 1073774479   Lost 107383140

    malformed sebek record: data length=208  packet caplen=96
    malformed sebek record: data length=55  packet caplen=96
    malformed sebek record: data length=176  packet caplen=96
    malformed sebek record: data length=25  packet caplen=96
    malformed sebek record: data length=444  packet caplen=96
    malformed sebek record: data length=7  packet caplen=96
    malformed sebek record: data length=497  packet caplen=96
    malformed sebek record: data length=56  packet caplen=96
    malformed sebek record: data length=36  packet caplen=96

    [.....]

If you have any advice where to look I'd really appreciate it.

Thanks
Robbin Turner





Can you give my the exact command that you  are running?


sbk_extract cant handle packets piped to it, it can either sniff the 
interface directly or it can open a tcpdump formated log file...

BTW, Ill get to the mysql issue tomarrow if thats alright.. 

Edward
Previous By Date Next
Previous By Thread Next

Current thread: