Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tcpdump and snort report 2 different TTL values

From: Chris Green <cmg () snort org>
Date: Wed, 27 Mar 2002 06:52:26 -0500
Safka <safka () triad rr com> writes:


When I read the file back in using tcpdump, i see the ttl value of 128
(both hosts are on the same segment). 

When I read the file using Snort I get 2 alerts - one with the tool's
TTL value of 255 and one with the w2k ttl of 128. I can live with this
however I was wondering why this behavior is occuring.

Any thoughts ?


Smells like a unsigned/signed bug in readback though not sure.  Would
you send me the pcap for the packet?


-- 
Chris Green <cmg () snort org>
"I'm beginning to think that my router may be confused."

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: