-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Linux cooked-mode capture (SLL) support #19
Comments
This was caused from a *.pcapng file which had Linux cooked-mode capture (SLL) layer-2 headers mixed with proper Ethernet headers. https://wiki.wireshark.org/SLL I was able to run the *.pcapng through Tracewrangler (https://www.tracewrangler.com/), removing the 'sll' headers and replacing with false Ethernet headers so the *.pcapng can then be processed in Brim. It works, I'm digging through it now. 👍 |
@showipintbri: Thanks for the quick follow-up with the workaround! Now that you've figured out the root cause, I was hoping to get some example data to reproduce the problem. I know there's usually sensitive data in pcaps so I figured you couldn't share yours, so I followed the info in that Wireshark link. Per the tips found there, it looks like I was able to get something workable by taking a live capture on Wireshark after having selected the "Any" interface. That by itself still imported without complaint into Brim, but going off your tip about the SLL-header'ed traffic being "mixed" with proper traffic, I did a It looks like the base
However, both Zeek and Suricata choke on it, for sure. Running on my Mac with the artifacts bundled with Brim
We happen to be in the middle of a project to decouple the packet processing from the Brim app (brimdata/zui#1505), which should make it easier to debug, work-around, and/or fix these kinds of problems. Perhaps there's something that could be done at the base packet processing layer to detect & work around this similar to what you did with Tracewrangler, or at the very least identify the problem and present a better error message and a pointer to at workaround. Since we need to get the base project finished first I imagine we won't get to diving into this specific corner case right away, but I wanted to get the details written down for later while it's fresh in our minds. Glad to hear you've managed to work around it in the interim! I'll hold this one open as a reminder for us to circle back to it and for others to find if they bump into this root cause. |
Per the prior comment, I'm going to transfer this one to the Brimcap repo since in the future these kinds of pcap import problems will come up in that context. After we finish base Brimcap functionality perhaps someone can look into adding an optional "replace the headers" workaround as part of the pipeline. |
It looks like another user has bumped into a variation of this problem as reported in a recent community Slack thread. In this case the user was able to share their test data traf2.pcap.gz which must be The attached video shows the user-facing symptom: The pcap can successfully dragged into Zui, but once we click on a connection and attempt to open its pcap slice in Wireshark, the "no packets found" error is shown. Repro.mp4Having looked closely at this repro, I can see conditions have changed slightly since this issue was first opened. In the past, the Zeek bundled with Brimcap/Zui was based on Zeek v3.2.1 which did not have support for cooked-mode/SLL. However, I can see support for this was added in Zeek v5.1.0, which explains why the Zeek summary logs are shown after the successful drag & drop. Meanwhile, Suricata quietly fails because they still lack support for this as tracked in their open issue #4951.
Back to Zui/Brimcap, in my local Zui checkout I had it print out the
However, recreating the equivalent filter logic in Wireshark we can see it has no problem isolating the slice. Wireshark also shows the evidence that the pcap is of the "cooked" variety. Finally, the Brimcap v1.6.0 that's bundled with current Zui releases does reflect that the link type is not currently supported.
However, I do think I see a way to address this, so I will put up a Brimcap PR shortly. |
Verified in Brimcap commit c74d4ff. Using the test data from the last comment above, Brimcap is now able to detect the link type for this capture.
Then with Zui Verify.mp4All that said, after delivering this fix to the user, we learned that there's still a remaining issue here that seems to be specific to the Zeek port on Windows, so I've opened a separate issue zeek/zeek#3609 to track that. There's also the problem cited above with how Suricata also lacks support for this link layer protocol, though that doesn't cause any failure to import the pcap into Zui, it just means no chance of seeing alerts. Ultimately it doesn't seem appropriate for us to maintain our own issues for every problem we encounter with one of the bundled analyzers, so I've opened #337 to track the idea of documenting somewhere (probably in the Brimcap wiki) what the known problems are that our users have hit with analyzers and link to the open issues for those other projects in the event that users want to pursue those. |
Before opening a new issue, please make sure you've reviewed the troubleshooting guide:
https://github.com/brimsec/brim/wiki/Troubleshooting
Describe the bug
Loading a *.pcap file yielded this error
To Reproduce
Try to load the *.pcap file again
Expected behavior
The summary data generated by zeek should be produced
Screenshots
Desktop Info
[Please complete the following information]
The text was updated successfully, but these errors were encountered: