Hi,
I have a pcap containing only a TCP three way hand shake. When I tried this pcap in “try zeek” online with a simple tcp_packet event handler, nothing is print out and an non_ip_packet_in_ethernet warning is generated in the wierd log. Any idea what is going on?
Best regards,
Hui Lin
Hi Hui,
Just to check the obvious - did you look at the trace in tcpdump/something else to check that it actually has correct ethernet headers, etc?
Johanna
Hi Johanna,
A little bit more debug that I did.
I catch the trace through wireshark; the wireshark shows no errors on this three way handshake.
I used the original trace that has the LLDP packet as the first packet, the same warning is still generated on the first packet.
I am not sure what triggers the error in Bro.
Thanks a lot and best,
Hui Lin
HI Johanna,
It turned out to be the problem from wireshark. I reboot the everything and then use the wireshark to collect the same traffic from the machine. It is working fine. I am not exactly sure what causes the problem, but I will share with you the pcap as these scenario can be a potential DoS for Bro. As mail list block attachment, I will send you the pcap in private email.
Thank you and Best regards,
Hui Lin