PPPoE Capture IP Layer Being Stripped

Good day all,

One of my sites has all PPPoE traffic on the link I’m monitoring. The .log files are all generated correctly, but PCAP files end up with stripped IP layer information. This was easy to reproduce in bro 2.3.1 on Ubuntu by doing:

tcpdump -nn -i ethX -w test.pcap

bro -r test.pcap -w bro.pcap

The tcpdump traffic in test.pcap looks fine, but the bro pcap comes up as Ethernet traffic with an unknown type.

Is this a known bug? Or is there perhaps some configuration that needs to be changed in bro support this traffic?

Thanks in advance,


I run bro on ppp0, but I don't think I've seen this issue. Have you tried having bro listen on the physical interface instead?