Snort mailing list archives
Re: tcpdump for [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])]
From: John Sage <jsage () finchhaven com>
Date: Mon, 22 Jul 2002 13:16:27 -0700
Max:
But I replayed the capture you posted perfectly, so it's nothing to
do with a switch or anything -- the capture is being created
accurately, it's just that when you replay it, something gets broken.
[toot@sparky /home/www/html/sys_docs/test]# snort -v -r snort_not_loggin.dump
Log directory = /var/log/snort
TCPDUMP file reading mode.
Reading network traffic from "snort_not_loggin.dump" file.
snaplen = 96
<snip>
Run time for packet processing was 0.18953 seconds
===============================================================================
Snort processed 28 packets.
Breakdown by protocol: Action Stats:
TCP: 24 (85.714%) ALERTS: 0
UDP: 2 (7.143%) LOGGED: 0
ICMP: 0 (0.000%) PASSED: 0
ARP: 2 (7.143%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
===============================================================================
I'm replaying your post on a box that appears identical: RHL 7.2;
libpcap 0.6.2; snort 1.8.7 build 128.
You're not running this through a pager ("more" or "less") are you?
I've noticed weirdnesses from time to time when trying to page through
a binary logfile on readback...
- John
--
"Cowardly refusing to create an empty archive."
PGP key http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
On Mon, Jul 22, 2002 at 02:35:09PM -0500, max valdez wrote:
This is my snort Output
Snort doesn't recognizes something in the packets.
I'm on a RH 7.3 box, libpcap-0.6.2-12
But As someone smart said, the problem might be on the switch.
anything else needed ?
-------------------
[max@garaged max]$ snort -v -r tcpdump-snort-not-loggin
Log directory = /var/log/snort
TCPDUMP file reading mode.
Reading network traffic from "tcpdump-snort-not-loggin" file.
snaplen = 96
--== Initializing Snort ==--
--== Initialization Complete ==--
-*> Snort! <*-
Version 1.8.7 (Build 128)
By Martin Roesch (roesch () sourcefire com, www.snort.org)
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
07/22-11:49:16.689735 ARP who-has 132.248.33.14 tell 132.248.33.254
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x6c00])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x4e00])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
07/22-11:49:19.150067 ARP who-has 132.248.33.14 tell 132.248.33.254
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])
[!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0x3400])
Run time for packet processing was 0.430 seconds
===============================================================================
Snort processed 28 packets.
Breakdown by protocol: Action Stats:
TCP: 0 (0.000%) ALERTS: 0
UDP: 0 (0.000%) LOGGED: 0
ICMP: 0 (0.000%) PASSED: 0
ARP: 2 (7.143%)
IPv6: 0 (0.000%)
IPX: 0 (0.000%)
OTHER: 0 (0.000%)
===============================================================================
Fragmentation Stats:
Fragmented IP Packets: 0 (0.000%)
Rebuilt IP Packets: 0
Frag elements used: 0
Discarded(incomplete): 0
Discarded(timeout): 0
===============================================================================
TCP Stream Reassembly Stats:
TCP Packets Used: 0 (0.000%)
Reconstructed Packets: 0 (0.000%)
Streams Reconstructed: 0
===============================================================================
Snort received signal 3, exiting
----
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- tcpdump for [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])] max valdez (Jul 22)
- Re: tcpdump for [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])] John Sage (Jul 22)
- Message not available
- Re: tcpdump for [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])] John Sage (Jul 22)
- Re: tcpdump for [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])] max valdez (Jul 22)
- Re: tcpdump for [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])] John Sage (Jul 22)
- Message not available
- Re: tcpdump for [!] WARNING: Not IPv4 datagram! ([ver: 0x5][len: 0xdc05])] John Sage (Jul 22)