Feature #4951
opendecode: datalink type 276 not yet supported
Description
<Error> - [ERRCODE: SC_ERR_UNIMPLEMENTED(88)] - datalink type 276 not (yet) supported in module PcapFile.
Suricata 6.0.4 not supporting datalink type 276 yet? Would it be supported in the future or any possible workaround?
Thank you.
Files
Updated by Victor Julien over 2 years ago
Are you able to provide a (public) pcap?
Updated by Andreas Herz about 2 years ago
- Tracker changed from Support to Feature
- Status changed from New to Assigned
- Assignee set to Peter Pan
- Target version set to TBD
Updated by Pablo Catalina over 1 year ago
Victor Julien wrote in #note-1:
Are you able to provide a (public) pcap?
It is easy to reproduce:
On a linux (tested on Kali linux) sniff using the options -s0 -i any -w filename.pcap, tcpdump will store the data using LINKTYPE_LINUX_SLL2 (which contains the name of the network interface in the headers). More info: https://www.tcpdump.org/linktypes/LINKTYPE_LINUX_SLL2.html
Updated by Phil Rzewski 3 months ago
- File linux_dlt_sll2.pcap linux_dlt_sll2.pcap added
We recently had a user bump into this problem as well so I happened to find this issue. Per the request in the most recent comment for a public pcap, I've attached one that reproduces with current GA Suricata v7.0.2.
$ suricata -V This is Suricata version 7.0.2 RELEASE $ suricata -r linux_dlt_sll2.pcap i: suricata: This is Suricata version 7.0.2 RELEASE running in USER mode E: pcap: datalink type 276 not (yet) supported in module PcapFile. W: pcap: Failed to init pcap file linux_dlt_sll2.pcap, skipping E: pcap: pcap file reader thread failed to initialize i: threads: Threads created -> RX: 1 W: 12 FM: 1 FR: 1 Engine started. i: suricata: Signal Received. Stopping engine.
That example pcap happens to be https://github.com/zeek/zeek/blob/master/testing/btest/Traces/linux_dlt_sll2.pcap that's used in tesing the Zeek project, as they added support for this format in https://github.com/zeek/zeek/pull/2340. Perhaps adding support in Suricata could be aided by borrowing from another open source project.
Updated by steve smoot 3 months ago
I looked through the zeek diff (https://github.com/zeek/zeek/pull/2340/files)
Basically it copies out a header:
struct SLL2Header
{
uint16_t protocol_type;
uint16_t reserved;
uint32_t interface_index;
uint16_t arphrd_type;
uint8_t packet_type;
uint8_t addr_len;
uint64_t addr;
} attribute((packed));
};
sets a field that zeek depends on (l2_dst), advances the pointer, and just uses normal processing thereafter.
so it's likely a similarly trivial change.
Updated by Victor Julien 8 days ago
- Subject changed from datalink type 276 not yet supported to decode: datalink type 276 not yet supported
- Assignee changed from Peter Pan to Community Ticket
- Label Beginner, C, Good First Issue, Protocol added