Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: simple question on packet sizes

From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 28 May 2001 00:43:25 -0400
"James R. Hendrick" wrote:


Hi,

When looking at the output of snort, there are several (basic) fields that I
need some help understanding:

IpLen


IP header length from the p->iph->ip_hlen field of the IP header.  This
is normally set to "5" (indicated in the decode as 20-bytes) except when
IP options are present.


TcpLen


Value of the p->tcph->th_off field, indicates the length of TCP
headers.  This is normally "5" (20-bytes in the output again) except
when TCP options are available.


DgmLen


This is the datagram length from the p->iph->ip_len field, it indicates
the length of the packet (including the IP header).


Len


UDP length from the UDP header decode, length of the payload + UDP
header.


     -Marty


I am trying to determine the number of bytes in packets (of various types,
mostly TCP) that make up "payload" vs. "header" for various services and
must simply be missing something obvious (need more coffffeeeeee).

The part that confuses me is that I see DgmLen in TCP packets as well as UDP
and TcpLen in UDP packets as well as TCP. Can someone help me understand
which fields I will see for which protocols and what they represent?


That's not right, you shouldn't be seeing TcpLen in UDP packets, the
printout code is mutually exclusive so this is (should be) impossible. 
Can you show me an example?

     -Marty



Thanks!

Jim

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Martin Roesch
roesch () sourcefire com
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: