Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: There's no second layer header available for this datalink #4

Open
9thplayer opened this issue Aug 9, 2019 · 0 comments
Open

Error: There's no second layer header available for this datalink #4

9thplayer opened this issue Aug 9, 2019 · 0 comments

Comments

@9thplayer
Copy link

9thplayer commented Aug 9, 2019
edited
Loading

Hey Guys,

I am using barnyard2 on suricata over pfsense firewall. I have enabled barnyard2 to send logs to syslog which is my ELK. Everything works fine but barnyard2 gets stopped after some time and when i open log file it says below error:

============================================

Aug 9 05:28:34 barnyard2 31524 --== Initialization Complete ==--
Aug 9 05:28:34 barnyard2 31524 Barnyard2 initialization completed successfully (pid=31524)
Aug 9 05:28:34 barnyard2 31524 Using waldo file '/var/log/suricata/suricata_bge140240/barnyard2/40240_bge1.waldo': spool directory = /var/log/suricata/suricata_bge140240 spool filebase = unified2.alert time_stamp = 1565240661 record_idx = 52633
Aug 9 05:28:34 barnyard2 31524 Opened spool file '/var/log/suricata/suricata_bge140240/unified2.alert.1565307024'
**Aug 9 05:28:34 barnyard2 31524 There's no second layer header available for this datalink
Aug 9 05:28:34 barnyard2 31524 Closing spool file '/var/log/suricata/suricata_bge140240/unified2.alert.1565307024'. Read 1406 records**
============================================

So work aroung is I delete below file everytime and restart the suricata and barnyard2 starts fine.
/var/log/suricata/suricata_bge140240/unified2.alert.1565307024
And that's frustrating.

I am not a developer but i tried to find out my way as I was not getting anything on internet so i pulled source code and looked through all the way to this :

case 228: /*Defined in some bpf implementation as DLT_IPV4: /
case 229: / Defined in some bpf implementation as DLT_IPV6 */

        if (BcOutputDataLink())
        {
            LogMessage("There's no second layer header available for "
                 "this datalink\n");

            barnyard2_conf->output_flags &= ~OUTPUT_FLAG__SHOW_DATA_LINK;
        }
        DecodeRawPkt(p, pkthdr, pkt);
        break;

        /*
         * you need the I4L modified version of libpcap to get this stuff
         * working
         */

==================================
Do i need libpcap new version or something or i can simply disable something in suricata or barnyard2 to get this working properly.

Please help me guys.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@9thplayer