Packetbeat Exiting: Sniffer main loop failed: Unsupported link type: UnknownLinkType(12)

beat2beat · November 5, 2018, 9:01am

Hello,

I came into this exception when trying to read a valid pcap file. I can read the file with tcpdump -r .
I verified that this is a valid pcap file (d4 c3 b2 a1 header), but still getting this exception. I noticed that the linktype mentioned by tcpdump is linktypeRaw and I guess packetbeat can't read this link type. Is there any workaround for this situation?.

Thanks.

Edit: New problem: The peoblem was that L2 traffic was missing in the pcap file. we have been edit the packets and created new file, and now packetbeat does read the file, but it omits L7 of the packet (it doesn't send any SSL values to elasticsearch, only L4 and below).

adrisr · November 8, 2018, 11:34am

it omits L7 of the packet (it doesn't send any SSL values to elasticsearch, only L4 and below).

This is probably due to a known issue with PCAP files (first point in this issue).

If you're passing the -t option to Packetbeat, try without it.

beat2beat · November 8, 2018, 11:43am

I'm not using -t flag, just -I, for example:
packetbeat -I pcap.pcap.

Do you have any ideas how to work with packetbeat with snort/nfqeue packets?

system · December 6, 2018, 11:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.