PPPoE Capture IP Layer Being Stripped

user11 · May 12, 2015, 1:43pm

Good day all,

One of my sites has all PPPoE traffic on the link I’m monitoring. The .log files are all generated correctly, but PCAP files end up with stripped IP layer information. This was easy to reproduce in bro 2.3.1 on Ubuntu by doing:

tcpdump -nn -i ethX -w test.pcap

bro -r test.pcap -w bro.pcap

The tcpdump traffic in test.pcap looks fine, but the bro pcap comes up as Ethernet traffic with an unknown type.

Is this a known bug? Or is there perhaps some configuration that needs to be changed in bro support this traffic?

Thanks in advance,

Jason

James_Lay · May 12, 2015, 4:04pm

I run bro on ppp0, but I don't think I've seen this issue. Have you tried having bro listen on the physical interface instead?

James

Topic		Replies	Views
Bro Digest, Vol 109, Issue 14 Zeek	2	88	May 6, 2022
PPPoE Capture IP Layer Being Stripped Zeek	2	75	May 6, 2022
Trouble with pppoe-traffic Zeek	3	69	May 6, 2022
Problem: Bro listening on two ethernet interfaces Zeek	1	64	May 6, 2022
Capturing the raw trace... Zeek	7	78	May 6, 2022

PPPoE Capture IP Layer Being Stripped

Related Topics