[Oisf-devel] Segfault on Suricata 1.2dev, PF_RING 5.2.1. and listening on a bonded interface

David.R.Wharton at regions.com David.R.Wharton at regions.com
Fri Jan 13 15:51:57 UTC 2012


Good question.  They are VLAN tagged so they have an extra four bytes.

-David



From:   Victor Julien <victor at inliniac.net>
To:     oisf-devel at openinfosecfoundation.org
Date:   01/13/2012 09:43 AM
Subject:        Re: [Oisf-devel] Segfault on Suricata 1.2dev, PF_RING 
5.2.1. and listening on a bonded interface
Sent by:        oisf-devel-bounces at openinfosecfoundation.org



On 01/13/2012 04:37 PM, David.R.Wharton at regions.com wrote:
> DecodeEthernet (tv=0xbfa89c0, dtv=0xda8fe48, p=0x8f27070, pkt=0x1a00ffff
> <Address 0x1a00ffff out of bounds>, len=64, pq=0xd533dd0) at
> decode-ethernet.c:56
> 56            switch (ntohs(p->ethh->eth_type)) {
> (gdb) backtrace
> #0  DecodeEthernet (tv=0xbfa89c0, dtv=0xda8fe48, p=0x8f27070,
> pkt=0x1a00ffff <Address 0x1a00ffff out of bounds>, len=64, pq=0xd533dd0)
> at decode-ethernet.c:56
> #1  0x0805ded8 in DecodePfring (tv=0xbfa89c0, p=0x8f27070,
> data=0xda8fe48, pq=0xd533dd0, postpq=0x0) at source-pfring.c:482

If you monitor the link with wireshark/tshark what is the link type? Do
the packets come in as straight ethernet packets or are they wrapped in
something else?

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

_______________________________________________
Oisf-devel mailing list
Oisf-devel at openinfosecfoundation.org
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20120113/f0d05a09/attachment-0002.html>


More information about the Oisf-devel mailing list