RE: Hardcore -r question

[Mark Evans <Mark.Evans () Optimation co nz>]

note that 111 in binary is          01101111
and that 62319 in binary is 1111001101101111

so if you just look at the binary then they
both match on the 2nd byte - the one that [3:1]
looks at.

it would have matched a whole load of other
packets that ended 01101111 if you had received 
any.

as i understand it (ymmv)

cheers,

-- 
me


> From: Martin Roesch [mailto:roesch () sourcefire com] 
> Subject: Re: [Snort-users] Hardcore -r question
>
>
> Try 'tcp[2:2] == 111', I bet that'll work.  BPF starts 
> counting at zero for headers, so tcp[0:2] covers the first 
> 16-bits of the tcp header,  tcp[2:2] covers the second 
> 16-bits (i.e. the destination port).
>
> You could also just say 'dst port 111'.
>
>     -Marty
>
> John Sage wrote:
> > I'm playing with using the -r switch and tcpdump syntax on 
> a binary log file, and I'm having one heckuva time understanding why 
> this command line:
> > snort -dv -r snort-0609 () 0724 log 'tcp[3:1] == 111 '
> >
> > returns what it does.
> >
> > I expect it to return packets with destination port 111, 
> which it does,
> > but WTF? it returns five other packets with a value of 62319 as the
> > destination port, too.

[cut]

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users