Trouble with pppoe-traffic

user30 · September 5, 2018, 9:31am

Good day all,

My IDS server receives mirrored traffic from the switch. In addition to classic traffic, I also see pppoe traffic.
But the bro why does not recognize this traffic. What could be the problem?

What kind of customization is needed for the bro to see this type of traffic?

Here are links to samples of this traffic:

Seth_Hall2 · September 5, 2018, 7:06pm

What version of Bro are you running? In your pppoe_get2.pcap file Bro 2.5.3 worked fine for me. I got all of the files that I would expect. The reason the other file didn’t work is that your HTTP request in that one doesn’t have the TCP handshake and Bro’s HTTP analyzer is sensitive to not having the handshake. If the handshake is missing Bro will currently not analyze the connection as HTTP.

.Seth

user30 · September 10, 2018, 1:20pm

In my system I use version Bro-2.5.2.

Unfortunately I did not find the difference between the two versions, with respect to pppoe

Topic		Replies	Views
PPPoE Capture IP Layer Being Stripped Zeek	2	61	May 6, 2022
Bro Digest, Vol 109, Issue 14 Zeek	2	91	May 6, 2022
PPPoE support Zeek	3	68	May 6, 2022
Bro handling of Microsoft BITS traffic Zeek	2	67	May 6, 2022
can't get the http analyzer to print anything Zeek	3	61	May 6, 2022

Trouble with pppoe-traffic

Related Topics