Snort mailing list archives
Re: tcpdump - showing data size
From: Martin Roesch <roesch () sourcefire com>
Date: Tue, 01 Oct 2002 21:05:49 -0400
On 10/1/02 6:16 PM, "netsec novice" <netsec9 () hotmail com> wrote:
I have recently set up SNORT with the basic signatures and as a side effect have discovered that our Risc server seems to be sending out a bunch of icmp echo request traffic. I am trying to narrow down the destination hosts to give our Unix admin more info to determine the source of the requests (app, cron, etc.). The rule that is triggering the alert in SNORT is 'Large ICMP packet' which is defined by the rule: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IMCP Large ICMP Packet"; dsize: > 800; I can tell from the Snort logs that the risc box is initiating the echo requests. I am running 'tcpdump icmp[0]=8' on the Risc server and I am wanting to narrow the capture down to the packets that are triggering the alerts (ie > 800). How do I display the packet size? Is dsize synonymous
The dsize value is referring to the number of bytes in the packet payload. The IP header will indicate the overall size of the packet in the DgmLen field, which includes the size of the IP and transport layer headers.
with bytes ie. > 800 bytes? I have tried the -v operator but it doesn't really show much.
Try -d with -v. Additionally, read the USAGE file, it'll get you pointed in the right direction and it only takes a few minutes. -Marty -- Martin Roesch - Founder/CTO Sourcefire Inc. - (410) 290-1616 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- This sf.net email is sponsored by: DEDICATED SERVERS only $89! Linux or FreeBSD, FREE setup, FAST network. Get your own server today at http://www.ServePath.com/indexfm.htm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tcpdump - showing data size netsec novice (Oct 01)
- Re: tcpdump - showing data size Martin Roesch (Oct 01)