Re: query .. please someone help.

[Erek Adams <erek () snort org>]

On Tue, 16 Sep 2003, Clayton Mascarenhas wrote:

> Could I please know why I keep getting ... "responding! TCP[2] IP[0]
> UDP[0]" a million times on my screen everytime I run snort on a traffic
> data file? Its like that statement runs in some sort of a never ending
> loop. Please could I know why this is happening and how do I stop this
> from happening. Is there any option that goes with my snort command
> line

Are you sure that the message isn't "returning" instead?  If it is...

Snort is telling you that something isn't right on your network.  You've
got something creating packets with bad checksums.  If you take a look at
lines 88-103 in src/detect.c you'll see this:

    88      /*
    89       *  If the packet has an invalid checksum marked, throw that
    90       *  traffic away as no end host should accept it.
    91       *
    92       *  This can be disabled by config checksum_mode: none
    93       */
    94
    95      if(p->csum_flags)
    96      {
    97          printf("returning! TCP (%d) IP (%d) UDP (%d) \n",
    98                 (p->csum_flags & CSE_TCP),
    99                 (p->csum_flags & CSE_IP),
   100                 (p->csum_flags & CSE_UDP)
   101                 );
   102          return 0;
   103      }

Does that help?

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users