[Bro-Dev] [JIRA] (BIT-1398) PPPoE PCAP stripping laters

Tue, 19 May 2015 03:33:08 -0700 

Jason created BIT-1398:
--------------------------

             Summary: PPPoE PCAP stripping laters
                 Key: BIT-1398
                 URL: https://bro-tracker.atlassian.net/browse/BIT-1398
             Project: Bro Issue Tracker
          Issue Type: Problem
          Components: Bro
    Affects Versions: 2.3
         Environment: Ubuntu 12.04.5 , pf_ring
            Reporter: Jason
            Priority: High


Recently I discovered what I believe to be a problem with Bro's packet 
collection of PPPoE traffic.  This occurs both on the wire and when reading in 
PCAP.

Here is a sample SSL session over PPPoE as captured by tcpdump:

12:58:27.914864568 PPPoE  [ses 0x279a] IP 192.168.110.235.25095 > 
192.168.162.218.443: Flags [S], seq 2317077818, win 65535, options [mss 
1380,nop,wscale 9,sackOK,TS val 139402792 ecr 0], length 0
12:58:28.091544568 PPPoE  [ses 0x279a] IP 192.168.162.218.443 > 
192.168.110.235.25095: Flags [S.], seq 2303200074, ack 2317077819, win 5792, 
options [mss 1460,sackOK,TS val 1200789536 ecr 139402792,nop,wscale 7], length 0
12:58:28.092020568 PPPoE  [ses 0x279a] IP 192.168.110.235.25095 > 
192.168.162.218.443: Flags [.], ack 1, win 513, options [nop,nop,TS val 
139402972 ecr 1200789536], length 0
12:58:28.092579568 PPPoE  [ses 0x279a] IP 192.168.110.235.25095 > 
192.168.162.218.443: Flags [P.], seq 1:257, ack 1, win 513, options [nop,nop,TS 
val 139402972 ecr 1200789536], length 256
12:58:28.268976568 PPPoE  [ses 0x279a] IP 192.168.162.218.443 > 
192.168.110.235.25095: Flags [.], ack 257, win 54, options [nop,nop,TS val 
1200789713 ecr 139402972], length 0

Running this capture through Bro results in a valid ssl.log: 
1431435508.092579       C2fjf233dO59LO7sj9      192.168.110.235 25095   
192.168.162.218 443     TLSv10  TLS_DHE_RSA_WITH_AES_256_CBC_SHA        -       
some_website.com        
7e710c9504f77e9fc8d18121ed965a25119c673b6b4e0a07b5bfcd5baadae534        -       
T       -       -       -       -       --

But the resulting PCAP coming out of Bro for the same packets looks like this: 
12:58:27.914864256 40:00:3f:06:da:8a > 45:00:00:3c:aa:49, ethertype Unknown 
(0x6e36), length 82: 
12:58:28.091544552 40:00:30:06:93:d4 > 45:00:00:3c:00:00, ethertype Unknown 
(0x36ec), length 82:
12:58:28.092020256 40:00:3f:06:da:84 > 45:00:00:34:aa:57, ethertype Unknown 
(0x6e36), length 74:
12:58:28.092579152 40:00:3f:06:d9:82 > 45:00:01:34:aa:59, ethertype Unknown 
(0x6e36), length 330:
12:58:28.268976656 40:00:30:06:00:42 > 45:00:00:34:93:9a, ethertype Unknown 
(0x36ec), length 74:

Please let me know if you need any additional information.
Jason



--
This message was sent by Atlassian JIRA
(v6.5-OD-03-002#65000)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to