Logs not generated from pcap on Windows (cooked/SLL problem?) #3609
Labels
Comments
timwoj
added
Area: Windows
Type: Bug 🐛
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
timwoj
added
Area: Windows
Type: Bug 🐛
A user from the Zui community in a Slack thread reported that they were not seeing Zeek logs generated from their pcap. When reproducing the issue myself, I found that Zeek v6.0.3 produced logs from their pcap just fine on both Linux and macOS but the problem was specific to Windows. Looking at their capture I could see it was of the cooked/SLL variety such as support was added for in Zeek in #2340. But perhaps there's some remaining problem with that change not working fully on Windows?
Since I wasn't clear on if I could share their test data, I whipped up my own small test capture ifconfig-cooked.pcapng.gz which is just a capture of me doing
curl ifconfig.cofrom a VM on my laptop. So for example the Zeek log types generated from processing this pcap successfully on macOS:By comparison, on Windows:
And specifically, that
noticeevent looks like just a complaint about inability to read the data.The text was updated successfully, but these errors were encountered: