Snort mailing list archives
Re: snort 2.3.3 --enable-flexresp
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 25 Apr 2005 12:06:55 -0400
Matt Kettler wrote:
When you use a telnet client to generate test traffic, the telnet client will generally send one TCP segment per character because the telnet client explicitly disables the nagle algorithm.
Side note: this depends a LOT on which telnet client you use. Apparently some telnet clients do send data in bursts under some circumstances, and others send it byte-by-byte. In general, it's probably a better idea to test with netcat, or similar tools which don't play games with what gets put on the wire.. However, it would be better if stream4 could re-assemble this, but AFAIK it cannot. It's really more designed for simple segmentation cases, not really slow byte-by-byte transfers. For example, this packet was captured using the RedHat Linux telnet client connecting to a sendmail server on port 25. No data was sent until I hit CR: "HELLO<cr/lf>" (hex 48 45 4c 4c 4f 0d 0a) 11:45:45.105951 10.0.0.xx.17098 > 192.168.50.xx.smtp: P [tcp sum ok] 1:8(7) ack 87 win 5840 <nop,nop,timestamp 351528130 182833090> (DF) [tos 0x10] (ttl 64, id 23716, len 59) 4510 003b 5ca4 4000 4006 e145 0a00 00xx c0a8 32xx 42ca 0019 0edf e86f f6fb 2d7b 8018 16d0 4275 0000 0101 080a 14f3 e4c2 0ae5 cfc2 4845 4c4c 4f0d 0a However, this stream came from telneting to the same server with the Microsoft Windows command prompt telnet client, and it sent each character as I typed it, and the server acknowledged each TCP segment before I could type another character. "H" (hex 48) 11:47:48.028835 10.0.4.xx.1408 > 192.168.50.xx.smtp: P [tcp sum ok] 1:2(1) ack 87 win 64154 (DF) (ttl 128, id 13723, len 41) 4500 0029 359b 4000 8006 c42b 0a00 04xx c0a8 32xx 0580 0019 13f4 6729 cdd4 7084 5018 fa9a ad18 0000 4800 0000 0000 11:47:48.028887 192.168.50.xx.smtp > 10.0.4.xx.1408: . [tcp sum ok] ack 2 win 5840 (DF) (ttl 64, id 40418, len 40) 4500 0028 9de2 4000 4006 9be5 c0a8 32xx 0a00 04xx 0019 0580 cdd4 7084 13f4 672a 5010 16d0 d8eb 0000 "E" (hex 45) 11:47:48.654637 10.0.4.xx.1408 > 192.168.50.xx.smtp: P [tcp sum ok] 2:3(1) ack 87 win 64154 (DF) (ttl 128, id 13725, len 41) 4500 0029 359d 4000 8006 c429 0a00 04xx c0a8 32xx 0580 0019 13f4 672a cdd4 7084 5018 fa9a b017 0000 4500 0000 0000 11:47:48.654688 192.168.50.xx.smtp > 10.0.4.xx.1408: . [tcp sum ok] ack 3 win 5840 (DF) (ttl 64, id 56749, len 40) 4500 0028 ddad 4000 4006 5c1a c0a8 32xx 0a00 04xx 0019 0580 cdd4 7084 13f4 672b 5010 16d0 d8ea 0000 "L" (hex 4c) 11:47:49.141334 10.0.4.xx.1408 > 192.168.50.xx.smtp: P [tcp sum ok] 3:4(1) ack 87 win 64154 (DF) (ttl 128, id 13727, len 41) 4500 0029 359f 4000 8006 c427 0a00 04xx c0a8 32xx 0580 0019 13f4 672b cdd4 7084 5018 fa9a a916 0000 4c00 0000 0000 11:47:49.141389 192.168.50.xx.smtp > 10.0.4.xx.1408: . [tcp sum ok] ack 4 win 5840 (DF) (ttl 64, id 47892, len 40) 4500 0028 bb14 4000 4006 7eb3 c0a8 32xx 0a00 04xx 0019 0580 cdd4 7084 13f4 672c 5010 16d0 d8e9 0000 "L" (hex 4c) 11:47:49.474804 10.0.4.xx.1408 > 192.168.50.xx.smtp: P [tcp sum ok] 4:5(1) ack 87 win 64154 (DF) (ttl 128, id 13729, len 41) 4500 0029 35a1 4000 8006 c425 0a00 04xx c0a8 32xx 0580 0019 13f4 672c cdd4 7084 5018 fa9a a915 0000 4c00 0000 0000 11:47:49.474865 192.168.50.xx.smtp > 10.0.4.xx.1408: . [tcp sum ok] ack 5 win 5840 (DF) (ttl 64, id 43544, len 40) 4500 0028 aa18 4000 4006 8faf c0a8 32xx 0a00 04xx 0019 0580 cdd4 7084 13f4 672d 5010 16d0 d8e8 0000 "O" (hex 4f) 11:47:49.769274 10.0.4.xx.1408 > 192.168.50.xx.smtp: P [tcp sum ok] 5:6(1) ack 87 win 64154 (DF) (ttl 128, id 13731, len 41) 4500 0029 35a3 4000 8006 c423 0a00 04xx c0a8 32xx 0580 0019 13f4 672d cdd4 7084 5018 fa9a a614 0000 4f00 0000 0000 11:47:49.769318 192.168.50.xx.smtp > 10.0.4.xx.1408: . [tcp sum ok] ack 6 win 5840 (DF) (ttl 64, id 50071, len 40) 4500 0028 c397 4000 4006 7630 c0a8 32xx 0a00 04xx 0019 0580 cdd4 7084 13f4 672e 5010 16d0 d8e7 0000 ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort 2.3.3 available Jeremy Hewlett (Apr 23)
- Re: Snort 2.3.3 available Eric Maheo (Apr 24)
- Re: Snort 2.3.3 available James Riden (Apr 26)
- snort 2.3.3 --enable-flexresp hans (Apr 25)
- Re: snort 2.3.3 --enable-flexresp John C. Silvia (Apr 25)
- Re: snort 2.3.3 --enable-flexresp hans (Apr 27)
- Re: snort 2.3.3 --enable-flexresp hans (Apr 27)
- Re: snort 2.3.3 --enable-flexresp Matt Kettler (Apr 25)
- Re: snort 2.3.3 --enable-flexresp Matt Kettler (Apr 25)
- Re: snort 2.3.3 --enable-flexresp Rich Adamson (Apr 26)
- Re: snort 2.3.3 --enable-flexresp hans (Apr 27)
- Re: snort 2.3.3 --enable-flexresp John C. Silvia (Apr 25)
- Re: snort 2.3.3 --enable-flexresp hans (May 01)
- showing payload hans (May 08)
- Re: Snort 2.3.3 available Eric Maheo (Apr 24)
- <Possible follow-ups>
- RE: Snort 2.3.3 available Harper, Patrick (Apr 26)