Date: Tue, 12 May 2015 10:04:56 -0600
From: James Lay <jlay@slave-tothe-box.net>
Subject: Re: [Bro] PPPoE Capture IP Layer Being Stripped
To: bro@bro.org
Message-ID: <b60c0945aa4749712ec607bdff0a435c@localhost>
Content-Type: text/plain; charset=US-ASCII; format=flowed> Good day all,
>
> One of my sites has all PPPoE traffic on the link I'm monitoring. The
> .log files are all generated correctly, but PCAP files end up with
> stripped IP layer information. This was easy to reproduce in bro
> 2.3.1 on Ubuntu by doing:
>
> tcpdump -nn -i ethX -w test.pcap
> bro -r test.pcap -w bro.pcap
>
> The tcpdump traffic in test.pcap looks fine, but the bro pcap comes up
> as Ethernet traffic with an unknown type.
>
> Is this a known bug? Or is there perhaps some configuration that
> needs to be changed in bro support this traffic?
>
> Thanks in advance,
>
> Jason
>I run bro on ppp0, but I don't think I've seen this issue. Have you
tried having bro listen on the physical interface instead?James
------------------------------
I have indeed. Live capture was where the problem was first noticed. I
moved to an offline/tcpdump test as part of my troubleshooting to ensure
nothing else was causing problems (link issues, PF_RING, etc).