Snort mailing list archives

Re: Reconstruction of TCP packets

From: Rajesh Joseph <tech_joseph () yahoo com>
Date: Mon, 29 Mar 2004 05:19:22 -0800 (PST)

Hi Dirk, 
 
I know stream4 (stream4_reassemble) is used to reassemble the tcp packets, But in my case it is not doing so..... It 
only dumps that packet which caused the alert but not the entire assembled packet.
 
Do I have to do anything extra, so that snort will dump all the reassembled packet when it capturest any alert in one 
of its(sessions) packet.
 
I hope you got my problem....
 
Rajesh

Dirk Geschke <Dirk_Geschke () genua de> wrote:
Hi Rajesh,

I like to reconstruct all the TCP packets of a particular session.
I am using Snort 2.1.0. I know Stream4 provides this functionality, 
But I don't know how to dump all the packets in the log. It is only
logging a single packet.


but this is how stream4 works: It builds one big "pseudo" packet of
the reassembled TCP packets. So you get one packet with the full 
TCP payload. What else did you expect?

Best regards

Dirk


---------------------------------
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.

Current thread:

Reconstruction of TCP packets Rajesh Joseph (Mar 29)
- Re: Reconstruction of TCP packets Dirk Geschke (Mar 29)
  - Re: Reconstruction of TCP packets Rajesh Joseph (Mar 29)
    - Re: Reconstruction of TCP packets Jason Haar (Mar 29)
    - Re: Reconstruction of TCP packets Rajesh Joseph (Mar 30)
    - Re: Reconstruction of TCP packets Dirk Geschke (Mar 30)
    - Re: Reconstruction of TCP packets Rajesh Joseph (Mar 31)
    - Re: Reconstruction of TCP packets Dirk Geschke (Mar 31)