Snort mailing list archives
Re: tcpdump and snort report 2 different TTL values
From: Chris Green <cmg () snort org>
Date: Wed, 27 Mar 2002 06:52:26 -0500
Safka <safka () triad rr com> writes:
When I read the file back in using tcpdump, i see the ttl value of 128 (both hosts are on the same segment). When I read the file using Snort I get 2 alerts - one with the tool's TTL value of 255 and one with the w2k ttl of 128. I can live with this however I was wondering why this behavior is occuring. Any thoughts ?
Smells like a unsigned/signed bug in readback though not sure. Would you send me the pcap for the packet? -- Chris Green <cmg () snort org> "I'm beginning to think that my router may be confused." _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: tcpdump and snort report 2 different TTL values Chris Green (Apr 02)