Re: Snort output

[Matt Kettler <mkettler () evi-inc com>]

Could you please make future posts to this list in non-html form. Several 
on the list can't read HTML, and my reader (or your mailer) mangled at 
least the first part of the message. I'm too lazy to look at the source to 
figure out  which end mangled the url schema tag so badly.


So what you have there is an ICMP packet.

breaking down the first line:

192.168.0.2 -> 192.168.0.1 ICMP TTL:56 TOS:0x0 ID:58201 IpLen:20 DgmLen:28

You have a packet going from 192.168.0.2 to 192.168.0.1. The transport 
layer is ICMP (as opposed to TCP or UDP). It has a time to live of 56 
router hops, no type of service bits requested, an IP layer packet ID of 
58201. The IP layer header length is 20 bytes, and the total datagram 
(including IP header, transport and application layer data) is 28 bytes.

ICMP packets have types and codes. Type 8 Code 0 is an echo request packet, 
more commonly called a ping. In general snort processes the type/code field 
for ICMP packets and gives you a short description of the packet, which is 
why your example has "ECHO" at the end..

 Other common examples of  ICMP message type/code pairings include 3/1 
(destination unreachable because the host is unreachable), 3/3 (destination 
unreachable because the port is unreachable), 0/0 (echo reply, the answer 
generated in response to a echo request.)

Yes, seq is the sequence number.. but realize that is an ICMP echo sequence 
number, not a TCP sequence number. They do similar things, but are not the 
same, unlike TCP where the sequence starts random and goes up by the number 
of bytes sent, ICMP echo sequence numbers generally (but not always) start 
at 0 and go up by 1 per packet sent. ID on the second line is the ICMP echo 
ID number.

the Frag trackers, etc are output regarding how many packets were 
defragmented/reassembled by the frag2 and stream4 preprocessors, as well as 
a count of how many times they had to fail due to insufficient memory.

At 01:04 AM 5/11/2002 +0100, Tommy Tsilalis wrote:



> I would like someone to give me some help in understanding parts of the 
> following snort output.
>
>
> 05/10-00:32:58.272341 x:xx:xx:xx:xx:xx -> xx:xx:x:xx:x:xx type:0x800 
> len:0x3C<?xml:namespace prefix = o ns = 
> "urn:schemas-microsoft-com:office:office" />
>
> 192.168.0.2 -> 192.168.0.1 ICMP TTL:56 TOS:0x0 ID:58201 IpLen:20 DgmLen:28
>
> Type:8  Code:0  ID:51010   Seq:0  ECHO.
>
>
>
> Is that header type and length in the first line?
>
> In the last what do Type:0 and Code:0 mean?
>
> I take it tha Seq:0 applies to the sequence number...
>
>
>
> Fragment Trackers: 0
>
> Frag2 memory faults:0
>
> Stream Trackers: 0
>
> Stream flushes: 0
>
> Segments used: 0
>
> Stream4 Memory Faults: 0
>
>
>
> Finally could you plz tell me what do the above mean.?
>
> Please help.
>
>
>
> Thanx
>
>
>
> Thomas
>
>
>
>
> ----------
> Join the world's largest e-mail service with MSN Hotmail. Click Here
> _______________________________________________________________ Have big 
> pipes? SourceForge.net is looking for download mirrors. We supply the 
> hardware. You get the recognition. Email Us: bandwidth () sourceforge net 
> _______________________________________________ Snort-users mailing list 
> Snort-users () lists sourceforge net Go to this URL to change user options or 
> unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users