bro help please

Zeek
1

hello all,

I am using bro 1.5 . I am reading from a pcap file and trying to use policy. I am sending the error messages when i run bro on it . I request all you to please help me.

The messages are as follows.

linux-oxtm:~ # bro -r /usr/local/bro/090500-0-anon.pcap /usr/local/bro/share/bro/synflood.bro

/usr/local/bro/share/bro/drop.bro, lines 67-71 (128.8.10.90): warning, multiple initializations for index
/usr/local/bro/share/bro/drop.bro, lines 67-71 (192.5.5.241): warning, multiple initializations for index
/usr/local/bro/share/bro/drop.bro, lines 75-79 (192.48.79.30): warning, multiple initializations for index
bro: problem with trace file /usr/local/bro/090500-0-anon.pcap - unknown data link type 0x68

Thanks.
Regards.
vijay M Khadse

2

The packets in tracefile are encapsulated in something strange at layer-2. Most commonly, the packets would be encapsulated in Ethernet headers (aka EN10MB). I don't know what 0x68 is.

   .Seth

3

I found them in pcap-bpf.h..

#define DLT_NULL 0 /* BSD loopback encapsulation */
#define DLT_EN10MB 1 /* Ethernet (10Mb) */
...
#define DLT_C_HDLC 104 /* Cisco HDLC */

I'm not sure why that would be..

adding support for other encapsulation types seem to just be a matter of
telling bro what the offset to the data is at the end of src/PktSrc.cc

I have no idea what the offset is for HDLC though :slight_smile:

4

adding support for other encapsulation types seem to just be a matter of
telling bro what the offset to the data is at the end of src/PktSrc.cc

Yeah, that should generally suffice provided it's a fixed-length header.
Conceptually Bro would also need to be told per packet's encapsulated
within it (e.g., IPv4 vs. ARP), but it actually has a hack to figure this
out itself.

    Vern