Snort mailing list archives
ICMP : Strange icmp payload decoding
From: Domingos Costa <domingos () microlink com br>
Date: Thu, 28 Aug 2003 15:55:48 -0300
Hi,When i click on a icmp alert, such as icmp dest. unreach. or icmp TTL exceeded, the payload field appears with a strange IP src/dst. For example, Acid shows me ip source 0.0.0.0:0 and ip dest 0.0.0.0:224 for the packet below. How can i configure snort/acid to show me the correct information? I saw some question in the SnortUsers list with this same problem, but was fixed last year. It was a little mistake in acid. I'm using Snort 2.0.0 build 72 and ACID v0.9.6b23.
Thanks, Domingos Costa [...] Generated by ACID v0.9.6b23 on Thu, 28 Aug 2003 13:42:29 -0300 ------------------------------------------------------------------------------#(1 - 639884) [2003-08-27 13:04:19] [snort/450] ICMP Time-To-Live Exceeded in Transit (Undefined Code!)
IPv4: ip_outsidemynet -> ip_insidemynet hlen=5 TOS=192 dlen=56 ID=47806 flags=0 offset=0 TTL=250 chksum=59304 ICMP: type=Time Exceeded code=0 checksum=48041 id= seq= Payload: ....E..0f.@...n.......Y....[.... [...] ACID v0.9.6b23 Version 2.0.0 (Build 72) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ICMP : Strange icmp payload decoding Domingos Costa (Aug 28)