Snort mailing list archives
Truncated UDP Header
From: "Koren, Alexander" <a.koren () broadnet-mediascape de>
Date: Sun, 21 Mar 2004 17:49:01 +0100
Hi there, sometimes I get the following warning from Snort: [**] (snort_decoder) WARNING: Truncated UDP Header! [**] 03/21-13:13:42.088423 xxx.xxx.xxx.xxx:0 -> xxx.xxx.xxx.xxx:0 UDP TTL:255 TOS:0x0 ID:31424 IpLen:20 DgmLen:20 That means that the UDP Header is less than 8 bytes, okay? But I wonder why the source and destination port is 0. AFAIK port 0 is reserved for special use as stated in RFC 1700. When you specify the source port of 0 when you connect to a host, the OS automatically reassigns the port number to high numbered ephemeral port. Could some please explain me, what is exactly going on here (or post some links)? Thanks in advance, Alex. ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Truncated UDP Header Koren, Alexander (Mar 21)