Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

Freeware & Evaluations

Reply

Cannot replay capture file

Adviser
Posts: 63
8957     0

Installed the test environment for DNS FW.  I have done a packet capture via the Grid Manager on a DNS server.  When I upload the traffic capture file and run it in the test environment I get an error message.  Any suggestion on how to fix this issue?  I also tried to upload the syslog I downloaded via Grid Manager and that did not work, either!

 

--- 2015-03-02 13:56:01 ---

Check Testbed:

Grid Master connection for DNSFW is OK

Reporting member connection is OK

DNS service is OK

NTP service is OK

Reporting service is OK

RPZ feed is synchronized

 

--- 2015-03-02 14:08:33 ---

File traffic.cap has been successfully uploaded

 

--- 2015-03-02 14:08:55 ---

Play PCAP file 'traffic.cap' with DNS IP 7.7.7.7:

Filtering pcap file...

reading from file /opt/uploads/packet_captures/traffic.cap, link-type LINUX_SLL (Linux cooked)

Rewriting dst ip/mac of packets in pcap file...

 

Fatal Error in tcpedit.c:tcpedit_packet() line 114:

From ./plugins/dlt_linuxsll/linuxsll.c:dlt_linuxsll_encode() line 219:

DLT_LINUX_SLL plugin does not support packet encoding

Error rewriting dst ip/mac

Hi Jerry,

Guru
Posts: 26
8957     0

Hi Jerry,

Thank you for posting your question.  I've reached out to a few people internally that should be responding shortly.  Feel free to reach out directly if needed to: erics @ infoblox (dot) com

Best,

Eric

 

Hi Jerry, Spoke with one of our folks who recommended doi...

Guru
Posts: 26
8958     0

 

Hi Jerry,

Spoke with one of our folks who recommended doing the following.  Please let us know if this resolved the issue for you.

1.  Convert the pcap file from LINUX_SLL to EN10MB format using tcprewrite:

tcprewrite --dlt=enet --infile=<input-pcapfile> --outfile=<output-pcapfile>

 

Then you should be able to upload the converted pcap file to the GuideVM and retry the playback.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You