Project

General

Profile

Actions
Copy link

Feature #4951

open

decode: datalink type 276 not yet supported

Added by Peter Pan over 3 years ago. Updated about 1 year ago.

Status:
Assigned
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Effort:
Difficulty:
Label:
Beginner, C, Good First Issue, Protocol

Description

<Error> - [ERRCODE: SC_ERR_UNIMPLEMENTED(88)] - datalink type 276 not (yet) supported in module PcapFile.

Suricata 6.0.4 not supporting datalink type 276 yet? Would it be supported in the future or any possible workaround?

Thank you.

Files

linux_dlt_sll2.pcap (672 Bytes) linux_dlt_sll2.pcap Phil Rzewski, 01/17/2024 01:39 AM
Actions
Copy link
 #1

Updated by Victor Julien over 3 years ago

Are you able to provide a (public) pcap?

Actions
Copy link
 #2

Updated by Andreas Herz over 3 years ago

  • Tracker changed from Support to Feature
  • Status changed from New to Assigned
  • Assignee set to Peter Pan
  • Target version set to TBD
Actions
Copy link
 #3

Updated by Pablo Catalina over 2 years ago

Victor Julien wrote in #note-1:

Are you able to provide a (public) pcap?

It is easy to reproduce:

On a linux (tested on Kali linux) sniff using the options -s0 -i any -w filename.pcap, tcpdump will store the data using LINKTYPE_LINUX_SLL2 (which contains the name of the network interface in the headers). More info: https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL2.html

Actions
Copy link
 #4

Updated by Phil Rzewski over 1 year ago

We recently had a user bump into this problem as well so I happened to find this issue. Per the request in the most recent comment for a public pcap, I've attached one that reproduces with current GA Suricata v7.0.2.

$ suricata -V
This is Suricata version 7.0.2 RELEASE

$ suricata -r linux_dlt_sll2.pcap 
i: suricata: This is Suricata version 7.0.2 RELEASE running in USER mode
E: pcap: datalink type 276 not (yet) supported in module PcapFile.
W: pcap: Failed to init pcap file linux_dlt_sll2.pcap, skipping
E: pcap: pcap file reader thread failed to initialize
i: threads: Threads created -> RX: 1 W: 12 FM: 1 FR: 1   Engine started.
i: suricata: Signal Received.  Stopping engine.

That example pcap happens to be https://github.com/zeek/zeek/blob/master/testing/btest/Traces/linux_dlt_sll2.pcap that's used in tesing the Zeek project, as they added support for this format in https://github.com/zeek/zeek/pull/2340. Perhaps adding support in Suricata could be aided by borrowing from another open source project.

Actions
Copy link
 #5

Updated by steve smoot over 1 year ago

I looked through the zeek diff (https://github.com/zeek/zeek/pull/2340/files)
Basically it copies out a header:
struct SLL2Header {
uint16_t protocol_type;
uint16_t reserved;
uint32_t interface_index;
uint16_t arphrd_type;
uint8_t packet_type;
uint8_t addr_len;
uint64_t addr;
} attribute((packed));
};
sets a field that zeek depends on (l2_dst), advances the pointer, and just uses normal processing thereafter.
so it's likely a similarly trivial change.

Actions
Copy link
 #6

Updated by Victor Julien about 1 year ago

  • Subject changed from datalink type 276 not yet supported to decode: datalink type 276 not yet supported
  • Assignee changed from Peter Pan to Community Ticket
  • Label Beginner, C, Good First Issue, Protocol added
Actions
Copy link

Also available in: Atom PDF