Re: Snort 2.9.7.2 throws ERROR: Cannot decode data link type 113 while reading pcaps

[Pratik Narang <pratik.cse.bits () gmail com>]

Albert:

Does Snort support Linux Cooked captures?

Thanks!

On Thu, May 21, 2015 at 5:35 PM, Al Lewis (allewi) <allewi () cisco com> wrote:
> The file is captured using "link-type LINUX_SLL (Linux cooked)". https://wiki.wireshark.org/SLL
>
> I will have to check if that is supported.
>
> root@lil-debbie-7:/var/tmp/snort-2.9.7.3_build-216# tcpdump -n -r 
> /home/alewis/Downloads/gtisc-winobot.20071027.1193443201.pcap -c 1 -X -e
>
> reading from file /home/alewis/Downloads/gtisc-winobot.20071027.1193443201.pcap, link-type LINUX_SLL (Linux cooked)
> 20:00:01.264359 Out d6:33:9e:ed:70:a1 ethertype IPv4 (0x0800), length 69: 66.154.87.61.7871 > 84.73.104.243.9683: 
> UDP, length 25
>         0x0000:  4500 0035 0000 4000 4011 e3a4 429a 573d  E..5..@.@...B.W=
>         0x0010:  5449 68f3 1ebf 25d3 0021 620b e30c 1d4e  TIh...%..!b....N
>         0x0020:  7d11 e78e 94c9 f938 4663 ce75 a12d 429a  }......8Fc.u.-B.
>         0x0030:  573d bf1e 00                             W=...
>
>
>
> Albert Lewis
> QA Software Engineer
> SOURCEfire, Inc. now part of Cisco
> 9780 Patuxent Woods Drive
> Columbia, MD 21046
> Phone: (office) 443.430.7112
> Email: allewi () cisco com
>
>
> -----Original Message-----
> From: Pratik Narang [mailto:pratik.cse.bits () gmail com]
> Sent: Thursday, May 21, 2015 7:13 AM
> To: Al Lewis (allewi)
> Cc: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode data link type 113 while reading pcaps
>
> Here you go : https://dl.dropboxusercontent.com/u/83226006/gtisc-winobot.20071027.1193443201.pcap
> This pcap comes from the 'Storm' botnet. It was obtained from obtained from a 3rd party - so I am not really sure 
> what non-ethernet stuff it has.
>
> Thanks!
>
> On Thu, May 21, 2015 at 3:07 PM, Al Lewis (allewi) <allewi () cisco com> wrote:
> > Can you provide some sample traffic that is giving you the error please?
> >
> > Albert Lewis
> > QA Software Engineer
> > SOURCEfire, Inc. now part of Cisco
> > 9780 Patuxent Woods Drive
> > Columbia, MD 21046
> > Phone: (office) 443.430.7112
> > Email: allewi () cisco com
> >
> >
> > -----Original Message-----
> > From: Pratik Narang [mailto:pratik.cse.bits () gmail com]
> > Sent: Thursday, May 21, 2015 2:09 AM
> > To: Al Lewis (allewi)
> > Cc: snort-users () lists sourceforge net; Waldo Kitty
> > Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode
> > data link type 113 while reading pcaps
> >
> > Thanks Waldo and Albert.
> > I recompiled Snort: ./configure --enable-sourcefire --enable-non-ether-decoders (followed by make and sudo make 
> > install) However, when i try to run it against the pcaps, I still get the same error.
> > Any hints?
> >
> >
> >
> >
> >
> > On Wed, May 20, 2015 at 8:57 PM, Al Lewis (allewi) <allewi () cisco com> wrote:
> > > What he means is that you need to recompile snort with that flag to read non Ethernet headers.
> > >
> > > Snort will decode Ethernet pcaps by default.
> > >
> > > Hope this helps.
> > >
> > > Albert Lewis
> > > QA Software Engineer
> > > SOURCEfire, Inc. now part of Cisco
> > > 9780 Patuxent Woods Drive
> > > Columbia, MD 21046
> > > Phone: (office) 443.430.7112
> > > Email: allewi () cisco com
> > >
> > > -----Original Message-----
> > > From: Pratik Narang [mailto:pratik.cse.bits () gmail com]
> > > Sent: Wednesday, May 20, 2015 8:12 AM
> > > To: snort-users () lists sourceforge net; Waldo Kitty
> > > Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode
> > > data link type 113 while reading pcaps
> > >
> > > On Wed, May 20, 2015 at 5:41 PM, Pratik Narang <pratik.cse.bits () gmail com> wrote:
> > > > ---------- Forwarded message ----------
> > > > From: Pratik Narang <pratik.cse.bits () gmail com>
> > > > Date: Wed, May 20, 2015 at 5:41 PM
> > > > Subject: Re: [Snort-users] Snort 2.9.7.2 throws ERROR: Cannot decode
> > > > data link type 113 while reading pcaps
> > > > To: waldo kitty <wkitty42 () windstream net>
> > > >
> > > >
> > > > Ummm... so,if I got that right, to be able to parse pcaps, I need to
> > > > re-compile Snort?
> > > >
> > > > On Wed, May 20, 2015 at 5:30 PM, waldo kitty <wkitty42 () windstream net> wrote:
> > > > > On 05/20/2015 07:40 AM, Pratik Narang wrote:
> > > > > > Now, I tried to run it against .pcap files in a directory using
> > > > > > the option --pcap-dir="/path/to/dumpfiles". Snort throws up an error:
> > > > > > ERROR: Cannot decode data link type 113 I read somewhere that
> > > > > > "--enable-non-ether-decoders" can be used to resolve this. But I
> > > > > > guess this option is not available for the present version of Snort.
> > > > >
> > > > > that's a compile time option... you have to use it when you run
> > > > > configure or make to create your snort binary...
> > > > >
> > > > > --
> > > > >   NOTE: No off-list assistance is given without prior approval.
> > > > >         Please *keep mailing list traffic on the list* unless
> > > > >         private contact is specifically requested and granted.
> > > > >
> > > > > -------------------------------------------------------------------
> > > > > -
> > > > > -
> > > > > --------- One dashboard for servers and applications across
> > > > > Physical-Virtual-Cloud Widest out-of-the-box monitoring support
> > > > > with
> > > > > 50+ applications Performance metrics, stats and reports that give
> > > > > 50+ you
> > > > > Actionable Insights Deep dive visibility with transaction tracing
> > > > > using APM Insight.
> > > > > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> > > > > _______________________________________________
> > > > > Snort-users mailing list
> > > > > Snort-users () lists sourceforge net
> > > > > Go to this URL to change user options or unsubscribe:
> > > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > > Snort-users list archive:
> > > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > > >
> > > > > Please visit http://blog.snort.org to stay current on all the latest Snort news!
> > >
> > > ---------------------------------------------------------------------
> > > -
> > > -------- One dashboard for servers and applications across
> > > Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats 
> > > and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight.
> > > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!