Skip to content
This repository has been archived by the owner on Jan 18, 2024. It is now read-only.

Error: There's no second layer header available for this datalink. #249

Open
9thplayer opened this issue Aug 9, 2019 · 1 comment
Open

Error: There's no second layer header available for this datalink. #249

9thplayer opened this issue Aug 9, 2019 · 1 comment

Comments

@9thplayer
Copy link

Hey Guys,

I am using barnyard2 on suricata over pfsense firewall. I have enabled barnyard2 to send logs to syslog which is my ELK. Everything works fine but barnyard2 gets stopped after some time and when i open log file it says below error:

============================================

Aug 9 05:28:34 barnyard2 31524 --== Initialization Complete ==--
Aug 9 05:28:34 barnyard2 31524 Barnyard2 initialization completed successfully (pid=31524)
Aug 9 05:28:34 barnyard2 31524 Using waldo file '/var/log/suricata/suricata_bge140240/barnyard2/40240_bge1.waldo': spool directory = /var/log/suricata/suricata_bge140240 spool filebase = unified2.alert time_stamp = 1565240661 record_idx = 52633
Aug 9 05:28:34 barnyard2 31524 Opened spool file '/var/log/suricata/suricata_bge140240/unified2.alert.1565307024'
**Aug 9 05:28:34 barnyard2 31524 There's no second layer header available for this datalink
Aug 9 05:28:34 barnyard2 31524 Closing spool file '/var/log/suricata/suricata_bge140240/unified2.alert.1565307024'. Read 1406 records**
============================================

So work aroung is I delete below file everytime and restart the suricata and barnyard2 starts fine.
/var/log/suricata/suricata_bge140240/unified2.alert.1565307024
And that's frustrating.
I am not a developer but i tried to find out my way as I was not getting anything on internet so i pulled source code and looked through all the way to this :

case 228: /*Defined in some bpf implementation as DLT_IPV4: /
case 229: / Defined in some bpf implementation as DLT_IPV6 */

    if (BcOutputDataLink())
    {
        LogMessage("There's no second layer header available for "
             "this datalink\n");

        barnyard2_conf->output_flags &= ~OUTPUT_FLAG__SHOW_DATA_LINK;
    }
    DecodeRawPkt(p, pkthdr, pkt);
    break;

    /*
     * you need the I4L modified version of libpcap to get this stuff
     * working
     */

==================================
Do i need libpcap new version or something or i can simply disable something in suricata or barnyard2 to get this working properly.

Please help me guys.
@kraigu
Copy link

kraigu commented Aug 9, 2019

Much as I hate to send people elsewhere, this project has been pretty quiet for quite a while now. Since you're doing Suricata -> ELK, you might consider filebeat instead, the non-free-licensed version has a Suricata module.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kraigu @9thplayer