Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ICMP Unreachable IP short header

From: Ralf Hildebrandt <Ralf.Hildebrandt () innominate com>
Date: Tue, 12 Jun 2001 11:35:45 +0200
On Mon, Jun 11, 2001 at 03:47:37PM -0600, Phil Wood wrote:


/data/bin/snort -V
Version 1.8-beta5 (Build 24)


Same here.


Then, after the fact, I can:

% tcpdump -x -n -r /data/log/eth1/be20010611.0000 icmp

I think this horse is dead.  Let me know if you get it working.


With tcpdump, it worked. Maybe my playback script isn't so great --
shouldn't snort be able to dump the packets as well?

17:52:55.403485 truncated-ip - 9 bytes missing!134.169.2.204 > 134.169.43.1: [|icmp]
                         4500 0038 fe8c 0000 ff01 8218 86a9 02cc
                         86a9 2b01 0301 fcfe 0000 0000 4500 001c
                         b101 0000 0102 673a 86a9 2b01 efff ff
17:53:30.727245 truncated-ip - 14 bytes missing!134.169.2.204 > 134.169.61.131: [|icmp]
                         4500 003c feff 0000 ff01 6f1f 86a9 02cc
                         86a9 3d83 0301 fcfe 0000 0000 4600 0020
                         cd64 0000 0102 b344 86a9 3d83 e000
17:54:13.635814 truncated-ip - 9 bytes missing!134.169.2.204 > 134.169.53.64: [|icmp]
                         4500 0038 ff1c 0000 ff01 7749 86a9 02cc
                         86a9 3540 0301 fcfe 0000 0000 4500 001c
                         b11b 0000 0102 6b9f 86a9 3540 e000 01
17:54:13.638071 truncated-ip - 9 bytes missing!134.169.2.204 > 134.169.53.64: [|icmp]
                         4500 0038 ff1c 0000 fe01 7849 86a9 02cc
                         86a9 3540 0301 fcfe 0000 0000 4500 001c
                         b11b 0000 0102 6b9f 86a9 3540 e000 01

That thing has an Allegro Rom Pager 2.00, so I guess it's a switch or
something like that.

-- 
ralf.hildebrandt () innominate com                            innominate AG
Technical Consultant                   Don't be afraid of what you see -
Diplom-Informatiker                     be afraid of what you don't see!
tel: +49.(0)7000.POSTFIX                        fax: +49.(0)30.308806-77



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: