Packetbeat Exiting: Sniffer main loop failed: Unsupported link type: UnknownLinkType(12)

beat2beat · November 5, 2018, 9:01am

Hello,

I came into this exception when trying to read a valid pcap file. I can read the file with tcpdump -r .
I verified that this is a valid pcap file (d4 c3 b2 a1 header), but still getting this exception. I noticed that the linktype mentioned by tcpdump is linktypeRaw and I guess packetbeat can't read this link type. Is there any workaround for this situation?.

Thanks.

Edit: New problem: The peoblem was that L2 traffic was missing in the pcap file. we have been edit the packets and created new file, and now packetbeat does read the file, but it omits L7 of the packet (it doesn't send any SSL values to elasticsearch, only L4 and below).

adrisr · November 8, 2018, 11:34am

it omits L7 of the packet (it doesn't send any SSL values to elasticsearch, only L4 and below).

This is probably due to a known issue with PCAP files (first point in this issue).

If you're passing the -t option to Packetbeat, try without it.

beat2beat · November 8, 2018, 11:43am

I'm not using -t flag, just -I, for example:
packetbeat -I pcap.pcap.

Do you have any ideas how to work with packetbeat with snort/nfqeue packets?

system · December 6, 2018, 11:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Wireless LAN: Unsupported link type Beats packetbeat	4	1021	July 6, 2017
PCAP data with Packetbeat Beats packetbeat	1	618	September 27, 2021
Packetbeat error connecting to elasticsearch Beats packetbeat	4	179	April 30, 2024
Using packetbeat with macos/ios remote virutal interface Beats packetbeat	6	594	August 19, 2019
Packetbeat - Bug parsing http method Beats beats-development , packetbeat	1	533	October 25, 2020

Packetbeat Exiting: Sniffer main loop failed: Unsupported link type: UnknownLinkType(12)

Related topics