Snort mailing list archives
Re: TCP header length exceeds packet length
From: Phil Wood <cpw () lanl gov>
Date: Mon, 3 Nov 2003 16:26:44 -0700
If extol is getting the tcp off the wire then they probably need to know the mtu of your interface so you can set the snapshot length. If extol is reading a file you prepared, then it was probably read with a snaplen less than the maximum mtu of your interface. Or, finally it might just be a corrupt packet. You should do a full packet capture of the offending pc spew with probably something like: tcpdump -i <interface> -s 1514 ... -w pc.pcap host pc on the assumption that your using an ethernet interface for packet capture. On Mon, Nov 03, 2003 at 03:38:55PM +0100, Erik Nyman wrote:
Hi! I'm testing a tool built by extol (http://www.extol.com.my/news/warning/other/blaster_detection.htm) but I get this warning message that I don't understand. WARNING: TCP Header length exceeds packet length! I have searched for an explanation, but I can't find any. Anyone that can explain what to do about the PC that sends these packets? /Erik ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood (cpw_at_lanl.gov) ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP header length exceeds packet length Erik Nyman (Nov 03)
- Re: TCP header length exceeds packet length Phil Wood (Nov 03)
- <Possible follow-ups>
- TCP header length exceeds packet length Erik Nyman (Nov 03)
- Re: TCP header length exceeds packet length mouss (Nov 03)