Snort mailing list archives
RE: "OTHER" protocol packets
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Wed, 13 Nov 2002 16:22:17 -0500
Other could be any other IP protocol type, I believe (ESP, GRE, etc). You could try ntop, if you're interested in seeing what's out there--great tool.
-----Original Message----- From: Peter Caffin [mailto:peterc+snortlist () autons net au] Sent: Wednesday, November 13, 2002 4:03 PM To: snort-users () lists sourceforge net Subject: [Snort-users] "OTHER" protocol packets Hi all, I have a colocated box running snort that has produced the following summary (snort run 2002/11/13 7.03am to 11/14 4.44am WST +0800): Snort analyzed 277068 out of 277068 packets, dropping 0(0.000%) packets Breakdown by protocol: Action Stats: TCP: 28700 (10.358%) ALERTS: 0 UDP: 84281 (30.419%) LOGGED: 0 ICMP: 68 (0.025%) PASSED: 0 ARP: 119465 (43.118%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 44554 (16.081%) DISCARD: 0 (0.000%) It's not a high-traffic site by any means and the box has been located in a /25 subnet with some of their other customers. (The UDP is high due to their colocated luser customers sending out volumes of netbios and bootp crap to their broadcast.) What really concerns me is the extremely high ARP count (I've opened a case with my provider) and the stuff listed as "OTHER". Anyone care to speculate what sort of traffic is this "OTHER" protocol garbage might be? Can anyone recommend any tools that would be useful to find out? Thanks. -- ---------------------------------------------------------------------- Peter Caffin, Automatic Networking Solutions Pty. Ltd. (ACN 099822965) http://www.autons.net.au/ PO Box 283, North Perth WA 6906, Australia ---------------------------------------------------------------------- ------------------------------------------------------- This sf.net email is sponsored by: Are you worried about your web server security? Click here for a FREE Thawte Apache SSL Guide and answer your Apache SSL security needs: http://www.gothawte.com/rd523.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: Are you worried about your web server security? Click here for a FREE Thawte Apache SSL Guide and answer your Apache SSL security needs: http://www.gothawte.com/rd523.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "OTHER" protocol packets Peter Caffin (Nov 13)
- Re: "OTHER" protocol packets Michael Anderson (Nov 13)
- <Possible follow-ups>
- RE: "OTHER" protocol packets McCammon, Keith (Nov 13)