Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tcpdump - showing data size

From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 01 Oct 2002 21:05:49 -0400
On 10/1/02 6:16 PM, "netsec novice" <netsec9 () hotmail com> wrote:


I have recently set up SNORT with the basic signatures and as a side effect
have discovered that our Risc server seems to be sending out a bunch of icmp
echo request traffic.  I am trying to narrow down the destination hosts to
give our Unix admin more info to determine the source of the requests (app,
cron, etc.).  The rule that is triggering the alert in SNORT is 'Large ICMP
packet' which is defined by the rule:

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IMCP Large ICMP Packet";
dsize: > 800;

I can tell from the Snort logs that the risc box is initiating the echo
requests.  I am running 'tcpdump icmp[0]=8' on the Risc server and I am
wanting to narrow the capture down to the packets that are triggering the
alerts (ie > 800).  How do I display the packet size? Is dsize synonymous


The dsize value is referring to the number of bytes in the packet payload.
The IP header will indicate the overall size of the packet in the DgmLen
field, which includes the size of the IP and transport layer headers.


with bytes ie. > 800 bytes?  I have tried the -v operator but it doesn't
really show much.


Try -d with -v.  Additionally, read the USAGE file, it'll get you pointed in
the right direction and it only takes a few minutes.

     -Marty


-- 
Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
This sf.net email is sponsored by: DEDICATED SERVERS only $89!
Linux or FreeBSD, FREE setup, FAST network. Get your own server 
today at http://www.ServePath.com/indexfm.htm
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: