Bro Digest, Vol 109, Issue 14

Date: Tue, 12 May 2015 10:04:56 -0600
From: James Lay <>
Subject: Re: [Bro] PPPoE Capture IP Layer Being Stripped
Message-ID: <b60c0945aa4749712ec607bdff0a435c@localhost>
Content-Type: text/plain; charset=US-ASCII; format=flowed

> Good day all,
> One of my sites has all PPPoE traffic on the link I'm monitoring. The
> .log files are all generated correctly, but PCAP files end up with
> stripped IP layer information. This was easy to reproduce in bro
> 2.3.1 on Ubuntu by doing:
> tcpdump -nn -i ethX -w test.pcap
> bro -r test.pcap -w bro.pcap
> The tcpdump traffic in test.pcap looks fine, but the bro pcap comes up
> as Ethernet traffic with an unknown type.
> Is this a known bug? Or is there perhaps some configuration that
> needs to be changed in bro support this traffic?
> Thanks in advance,
> Jason

I run bro on ppp0, but I don't think I've seen this issue. Have you
tried having bro listen on the physical interface instead?



I have indeed. Live capture was where the problem was first noticed. I

moved to an offline/tcpdump test as part of my troubleshooting to ensure
nothing else was causing problems (link issues, PF_RING, etc).

This problem isn’t a huge surprise to me. We haven’t supported the packet-writing feature for several releases (it’s also not explicitly deprecated, we just haven’t given it any attention). At the very least, it isn’t something that we have tests for due to it being complicated and unreliable in some circumstances.